Delegate Distribution Group Membership Management To End Users

For IT administrators in large organizations where there is a huge number of distribution groups, adding and removing members frequently can be a real headache. One way of making this easier is by delegating management to a responsible person by making an end user a distribution group owner.

However, the default MyDistributionGroups management role grants rights that many organizations find unnecessary. The group owner would be allowed to not only to manage their group’s members but change all the settings of their distribution group as well as create and delete other distribution groups.

In this post I will talk about, how you can create a management role that will restrict pretty much every setting and the only allowed capability is to add and remove members to and from the distribution groups that the user is the owner.

Note: The screenshots are from Office 365 Exchange Online environment. However, these steps are same for Exchange Server 2013 and Exchange Server 2016 as well.

Management Role Configuration

We will be creating a template based on existing MyDistributionGroups management role with below PowerShell command (figure 1).

#Replace MyManagementRoleName with the name you want to give out to your management role.
New-ManagementRole MyManagementRoleName -Parent MyDistributionGroups
New-ManagementRole

Figure 1: New-ManagementRole

Once you create the management role, you need to remove certain management role entries that grants permission to the user. To do this, first let’s query the available permissions by running below PowerShell command (figure 2).

#Replace MyManagementRoleName with the name you have given to your management role.
Get-ManagementRoleEntry MyManagementRoleName\*
Get-ManagementRole

Figure 2: Get-ManagementRole

As you can see above screenshot, the management role has entries that we do not want users to have. To restrict them, we will run below commands to remove them entirely or remove certain parameters from them.

Below is a list of permissions that I will remove completely.

#Replace MyManagementRoleName with the name you have given to your management role.
Remove-ManagementRoleEntry MyManagementRoleName\Get-AcceptedDomain
Remove-ManagementRoleEntry MyManagementRoleName\New-DistributionGroup
Remove-ManagementRoleEntry MyManagementRoleName\Remove-DistributionGroup
Remove-ManagementRoleEntry MyManagementRoleName\Set-DynamicDistributionGroup

Once above commands have been run, entries in management role should look similar to below screenshot (figure 3).

Get-ManagementRoleEntry

Figure 3: Get-ManagementRoleEntry output after removing entries.

Still the user has pretty good control over the distribution groups he/she is an owner. At this point group owners can manage every aspect of their distribution group(s) except for deleting current distribution group(s) and creating new distribution groups. You can stop configuring the management role and skip to Role Assignment Policy section, if restricting the deletion and creation is the only goal you have at the moment. However, if you want to further lock down these permissions so that the group owner doesn’t have more control, continue reading.

We will be focusing on two more entries here. Set-DistributionGroup and Set-Group entries. We do not want to remove these entries entirely as it would make the management of distribution groups not possible for the user. Therefore what we’re going to do is, we’re going to remove parameters inside these entries. Since each of these entries contain a quite a lot of parameters, I used PowerShell to export them to two separate CSV files in order to import them later and run them in a loop. Below commands will export these parameters to CSV files.

#Replace USERNAME with your user folder's name. Or you can use a completely different folder path as well.
$SetG = Get-ManagementRoleEntry EditDistributionGroupMembership\Set-Group | select Parameters
$SetDG = Get-ManagementRoleEntry EditDistributionGroupMembership\Set-DistributionGroup | select Parameters
$SetG | Export-Csv C:\Users\USERNAME\Documents\Parameters\Set-Group.csv
$SetDG | Export-Csv C:\Users\USERNAME\Documents\Parameters\Set-DistributionGroup.csv

Now, you’re going to need a bit of Excel skills to arrange exported parameters in to a single column and save them back. From both of CSV files, we will remove ErrorAction, ErrorVariable, OutBuffer, OutVariable, WarningAction, WarningVariable, WhatIf parameters. Also, we will add a column header named “Parameters” as well. Parameters you’re leaving in the CSV file will be removed from the management role entry when we execute below commands.

Note: For your convenience I have uploaded these two CSV files here and the download links will be at the bottom of this post.

#Replace USERNAME with your user folder's name. Or you can use a completely different folder path as well.
$CsvG = Import-Csv C:\Users\USERNAME\Documents\Parameters\Set-Group.csv
$CsvDG = Import-Csv C:\Users\USERNAME\Documents\Parameters\Set-DistributionGroup.csv
$CsvG | foreach {Set-ManagementRoleEntry EditDistributionGroupMembership\Set-Group -Parameters $_.Parameters -RemoveParameter -Verbose
$CsvDG | foreach {Set-ManagementRoleEntry EditDistributionGroupMembership\Set-DistributionGroup -Parameters $_.Parameters -RemoveParameter -Verbose

Running last two lines with -Verbose parameter will display the information on your shell that you can use to troubleshoot if you come across any errors (figure 4).

Executing PowerShell commands with -Verbose

Figure 4: Executing PowerShell commands with -Verbose

Role Assignment Policy

If you managed to execute all the steps above without an issue, now you will have a management role that allows the group owner to only perform adding and removing members to and from the group. However, running above commands alone will not make it the default permission set assigned to users.

Next step is to assign this new permission set to a role assignment policy. This can be either the default role assignment policy or a new role assignment policy. In this demo I will be using the default role assignment policy to assign the new management role to users across my organization.

  1. Login to the Exchange Admin Center.
  2. Go to Permissions -> User Roles
  3. Edit Default Role Assignment Policy. Or you can create a new role assignment policy as well.
  4. Scroll down to Distribution groups
  5. Uncheck MyDistributionGroups and check EditDistributionGroupMembership (or the name you’ve given to your management role as shown in figure 5).

    Role Assignment Policy

    Figure 5: Role Assignment Policy

  6. Click Save

Now, once this is set, the group owners will be not be able to change any setting in the distribution group except for adding and removing members to and from the distribution group that the user is an owner. Below screenshots (figure 6 to figure 11) show different sections of the distribution group properties. Except for Membership section, every option in other sections have greyed out.

General

Figure 6: General

Ownership

Figure 7: Ownership

Membership

Figure 8: Membership

Membership Approval

Figure 9: Membership Approval

Message Approval

Figure 10: Message Approval

Email Options

Figure 11: Email Options

Downloads

  • csv Set-DistributionGroup
    This CSV file contains parameters of Set-DistributionGroup entry in MyDistributionGroups management role.
    File size: 994 B Downloads: 290
  • csv Set-Group
    This CSV file contains parameters of Set-Group entry in MyDistributionGroups management role.
    File size: 145 B Downloads: 253

Leave a Reply