question

miniadmin-1064 avatar image
0 Votes"
miniadmin-1064 asked miniadmin-1064 edited

A user managed distribution group

Hello

I'm trying to create a distribution group whose members are managed by a regular user while meeting following requirements:
- This owner/manager shall only be able to manage groups owned/managed by him
- The members should only be added and removed by the groups manager - a closed group
- The group should receive emails from inside and outside of the organization

What I already tried
- Creating a distribution group in ECP and selecting a user as the owner
- Creating a distribution group via the Exchange Shell
- Modifying the group owner via ECP, AD and Exchange Shell
- Checking the "Manager can update membership list" checkbox in the "Managed By" tab
- Modifying the access rights via PowerShell Add-ADPermission -Identity: "[GROUP]" -User "[USER]" -AccessRights ReadProperty, WriteProperty -Properties "Member"
- Waiting for days and Restarting IIS

Additional information
- Exchange 2016 with latest patches
- The group is a universal distribution group
- The alias contains no special or unauthorized characters
- The Group is member of the GAL

All the listed methods are resulting in the following error message while the owner/manager is trying to change the members of his group using Outlook:

Changes to the distribution list membership cannot be saved. You do not have sufficient permission to perform this operation on this object.

Using RBAC would lead to a user having control over all distribution groups in a certain OU. Doing it right would lead to creating a new OU for each user's group and a new admin role containing this sole user linked to this specific OU.

Is there any other way to solve this one? All ideas are welcome.

Thanks

office-exchange-server-administrationoffice-exchange-server-mailflow
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @miniadmin-1064

I think RBAC permission isn't necessary to manage distribution group.

Would you please share the current settings with us?
For example, the settings of the distribution group in Exchange and RBAC or AD settings of the manager if there are any.
(Don't forget to hide your personal information for security)

0 Votes 0 ·

1 Answer

AndyDavid avatar image
2 Votes"
AndyDavid answered miniadmin-1064 edited

Using RBAC would lead to a user having control over all distribution groups in a certain OU. Doing it right would lead to creating a new OU for each user's group and a new admin role containing this sole user linked to this specific OU.


The users would only be able to update the membership of the groups they own, not all the groups in a certain OU. Unless I am missing something here?

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello AndyDavid,

thank You for Your response. You are right. A wrong approach was taken.

I was working with administrative roles where a scoping is possible. In this case an assigned user can update the membership of all groups in a certain OU.

The solution was to create a new user role with MyDistributionGroups checked and assign it via mailboxes --> mailbox features --> Role assignment policy to a specific user.




0 Votes 0 ·