Turn Off User's Ability to Create Distribution Groups
Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2
By default, all users in your Microsoft Exchange Server 2010 organization can create and manage distribution groups from their e-mail client. There are several ways to turn off a user's ability to create or manage distribution groups:
Create an assignment policy and assign it to the users who shouldn't be allowed to create or manage distribution groups.
Remove the My Distribution Groups and the My Distribution Group Membership roles from the default management role assignment policy.
The procedures in this topic assume that you haven't changed the name of the My Distribution Groups and My Distribution Group Membership management roles.
Looking for other management tasks related to distribution groups? Check out Managing Distribution Groups.
Prerequisites
Read Understanding Management Role Assignment Policies.
Use the Shell to create a role assignment policy to apply to specific users
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Role groups" entry in the Role Management Permissions topic.
Note
You can't use the EMC to create a role assignment policy to apply to specific users.
You can create a policy that doesn't contain the My Distribution Group and My Distribution Group Membership roles and apply that role to specific users in your organization. Those users won't be able to create or manage distribution groups.
Create a role assignment policy. This example creates the policy No Distribution Group Management.
New-RoleAssignmentPolicy "No Distribution Group Management"
Use a variable to get all of the roles assigned to the default role assignment policy.
$Roles = Get-ManagementRoleAssignment -RoleAssignee "Default Role Assignment Policy"
Note
The default role assignment policy that's installed with Exchange 2010 is named Default Role Assignment Policy. If you change the name of that policy or if you have a different default policy, you can locate the default policy by running the following command.
Get-RoleAssignmentPolicy | Where { $_.IsDefault -eq $True }
Add all of the roles assigned to the default assignment policy to the new role assignment policy, excluding the ones that contain the word distribution.
$Roles | Where {$_.Role -NotLike "*Distribution*" } | New-ManagementRoleAssignment -Policy "No Distribution Group Management"
Apply the No Distribution Group Management assignment policy to the appropriate users. This example applies the No Distribution Group Management role assignment policy to all mailboxes that have the CustomAttribute1 value set to Contract Employee.
Get-Mailbox -Filter {CustomAttribute1 -eq "Contract Employee"} | Set-Mailbox -RoleAssignmentPolicy "No Distribution Group Management"
For detailed syntax and parameter information, see the following topics:
Use the Shell to remove the My Distribution Groups and the My Distribution Groups Membership roles from the default management role assignment policy
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Role groups" entry in the Role Management Permissions topic.
Note
You can't use the EMC to remove the My Distribution Groups and the My Distribution Group Membership roles from the default management role assignment policy.
Removing the My Distribution Groups and My Distribution Group Membership roles from the default role assignment policy is the easiest way to remove this permission from most users in your organization. However, this doesn't affect recipients who have been assigned a different role assignment policy.
Note
By creating a default role assignment policy, you can save the master settings and create additional policies from it.
Create a role assignment policy. This example creates the policy No Distribution Group Management.
New-RoleAssignmentPolicy "No Distribution Group Management"
Use a variable to get all of the roles assigned to the Default Role Assignment Policy.
$Roles = Get-ManagementRoleAssignment -RoleAssignee "Default Role Assignment Policy"
Note
The default role assignment policy that's installed with Exchange 2010 is named Default Role Assignment Policy. If you change the name of that policy or if you have a different default policy, you can locate the default policy by running the following command.
Get-RoleAssignmentPolicy | Where { $_.IsDefault -eq $True }
Add all of the roles assigned to the default assignment policy to the new role assignment policy, excluding the ones that contain the word distribution.
$Roles | Where {$_.Role -NotLike "*Distribution*" } | New-ManagementRoleAssignment -Policy "No Distribution Group Management"
Make the new role assignment policy the default policy so that it will apply to all users in the organization.
Set-RoleAssignmentPolicy "No Distribution Group Management" -IsDefault
Rename the old default role assignment policy something more appropriate. This example renames it Old_Default Role Assignment Policy.
Set-RoleAssignmentPolicy "Default Role Assignment Policy" -Name "Old_Default Role Assignment Policy"
For detailed syntax and parameter information, see the following topics:
© 2010 Microsoft Corporation. All rights reserved.