Manage the Members of Distribution Groups
Applies to: Exchange Server 2010 SP3
Microsoft Exchange Server 2010 provides a new feature to manage distribution groups. This feature lets your users join existing groups, manage some of the properties of groups that they own, manage their membership in groups that they own, and even create and remove groups.
Manage Distribution Groups
Microsoft Exchange Server 2010 now offers users the ability to manage distribution groups with more control than that provided by Microsoft Office Outlook 2007. This new feature lets your users join existing groups, manage some of the properties of groups that they own, manage membership in groups that they own, and even create and remove groups.
By default, this feature is turned off. To turn on this feature, use the Exchange Control Panel (ECP) to assign the MyDistributionGroups RBAC role to the Default Role Assignment Policy.
Although some customers want their users to have the ability to create and remove distribution groups on this role, the control that is offered by this new feature may be more than you want to provide the users on your network.
For example, you may want to modify the functionality of this feature to meet any of the following goals:
Let users manage distribution groups they own.
Not let users be able to create distribution groups.
Not let users be able to remove distribution groups, including those that they own.
To help you change the functionality of the new feature, use the ManageGroupManagementRole.ps1 script. This script is available from the TechNet Script Center. To use this script, follow these steps:
Obtain the script by visiting the following TechNet Script Center Web site: Manage-GroupManagementRole.ps1.
Copy the contents of the script to a text file on the computer on which you want to run it, and then save the file by using the following filename: Manage-GroupManagementRole.ps1.
At an Exchange PowerShell command prompt, run the following command: Manage-Groupmanagmentrole.ps1 -creategroup –removegroup.
This combination of switches makes the changes that are described in the example mentioned earlier. When the script is finished running, your users will be able to manage distribution groups, but not create or remove them. When you run the script, the script performs the following actions:
Creates a new RBAC role that is a child of the MyDistributionGroups Role.
Removes the remove-distributiongroup cmdlet and the new-distributiongroup cmdlet from the role that you just created.
Assigns the new role to the Default Role Assignment Policy.
For more information about how to use this script, examine the contents of the script file. Or, run the script without switches. Each step that the script takes is documented in the script. You can extract from the script just what you require to change the functionality of the manage distribution groups feature. The script is designed to be flexible. If you run the script by using the default settings, you get a new role and a new role assignment.
How to Use Groups to Manage Groups in Exchange 2010
In Exchange 2010, distribution groups cannot be managed by groups; only individual users can manage groups. This behavior differs from Microsoft Exchange Server 2003, in which you use groups to manage a distribution group. In Exchange 2003, group ownership is handled at a different level. If you move mailboxes from Exchange 2003 to Exchange 2010, members of a group that managed a distribution group in Exchange 2003 can no longer modify the group in Exchange 2010.
The Set-DistributionGroupOwners.ps1 script lets you work around this changed behavior. The script enables you to simulate group ownership of a distribution group in Exchange 2010.
You can run the script in the following modes, depending on the switches that you use together with the script.
Mode 1: Set Ownership for a particular distribution group. Modifications to the ManagedBy attribute are not set at this time. Instead, the script modifies a custom attribute to obtain the information it will require later to set the ManagedBy attribute.
Mode 2: Modify the ManagedBy attribute of a specific distribution group so that the members of either a security group or a distribution group can manage the group.
Mode 3: Automate the process. This mode is designed to be run as a scheduled task and to make sure that individual members of a group have ownership of the distribution group that they are set to own. Use this mode if you prefer to automate the process and, perhaps, run it nightly to find any changes to security group and distribution group membership.
Windows Server 2008 R2 is required to run the Set-DistributionGroupOwners.ps1 script. The script does not have to be run on a server that’s running Exchange Server. However, the Exchange management tools must be installed on the computer on which you run the script.
To run the Set-DistributionGroupOwners.ps1 script, follow these steps:
Visit the Script Center, and then download Set-DistributionGroupOwners.txt from the following Web page: Set-DistributionGroupOwners.
Change the file name extension from .txt to .ps1. The filename should now be Set-DistributionGroupOwners.ps1.
By default, the script populates the CustomAttribute5 field by using the Distinguished Name (DN) of the group. The DN is specified in the ManagedBy attribute of the distribution group that you want to manage. You can change the default behavior to use one of the 15 custom attributes in the default schema. Determine which custom attribute works in your environment. To change the custom attribute, follow these steps:
Open the Set-DistributionGroupOwners.ps1 file in Notepad.
Locate the following text: $dn_storage = "CustomAttribute5".
Change CustomAttribute5 to the custom attribute that you want to use.
Save and then close the Set-DistributionGroupOwners.ps1 file.
Determine which of the following modes you want to use to run the script.
Mode 1 - Set Ownership of a Group In this mode, run the script together with the –DistributionGroup and –GroupOwner parameters. Specify the distribution group (-DistributionGroup) and the group that you want to manage it (-GroupOwner). This resets the DN of the owning group (as specified in –GroupOwner) to the custom attribute for the Distribution Group (as specified in –DistributionGroup).
Mode 2 - Modify the ManagedBy attribute for one Group Mode 2 or Mode 3 don’t work until you set the value of the customer attribute to the DN of the owning group. If you have already run the Script in Mode 1, Mode 2 configures the ManagedBy attribute for a single group. To run the script in Mode 2, specify only the –DistributionGroup parameter, and list the DL that you want to have processed.
Mode 3 – Run the Script as a Scheduled Task to look all new modifications to Group Ownership When you run the script without switches, the script searches the directory in Active Directory Domain Services for all groups that have the defined custom attribute set to a DN. Then, it processes all the groups as in Mode 2. The script is designed to be run in this mode as either a one-off kind of operation for which you know updates are needed or as a scheduled task to keep everything in sync. A key point is that when the script populates the ManagedBy attribute, it overwrites the existing values by using the current members of the owning group.
For more information about custom attributes, see Understanding Custom Attributes.
For more information about managing distribution groups, see Managing Distribution Groups.
© 2010 Microsoft Corporation. All rights reserved.