How to Configure Granular Permissions to End Users for Distribution Group Management

Exchange Online in Office 36, Exchange 2013, and Exchange 2010 offer end users the ability to create, edit, and delete Exchange distribution groups in the Global Address List.  This feature is a role assignment called MyDistributionGroups in the User Role’s Default Role Assignment Policy and by default it is not enabled.

User’s Default Role Assignment Policy
If you enable this role by selecting the checkbox and saving the policy, all users can create, edit, and delete distribution groups that they own (the user is listed in the Owners multivalued property of the group).

But what if you only only want users to be able to edit their own distribution groups? Or maybe you want them to only be able to edit and delete their own groups? Or maybe only add and edit their own groups?  The cmdlets below will configure these options for the Default Role Assignment Policy.

Run the following cmdlets in an Exchange Management Shell session:

New-ManagementRole -Name CanEditDistributionGroups -Parent MyDistributionGroups
Remove-ManagementRoleEntry CanEditDistributionGroups\New-DistributionGroup -Confirm:$false
Remove-ManagementRoleEntry CanEditDistributionGroups\Remove-DistributionGroup -Confirm:$false

New-ManagementRole -Name CanCreateDistributionGroups -Parent MyDistributionGroups
Remove-ManagementRoleEntry CanCreateDistributionGroups\Remove-DistributionGroup -Confirm:$false

New-ManagementRole -Name CanRemoveDistributionGroups -Parent MyDistributionGroups
Remove-ManagementRoleEntry CanRemoveDistributionGroups\New-DistributionGroup -Confirm:$false

New-ManagementRoleAssignment -Role CanEditDistributionGroups -Policy “Default Role Assignment Policy”
New-ManagementRoleAssignment -Role CanCreateDistributionGroups -Policy “Default Role Assignment Policy”
New-ManagementRoleAssignment -Role CanRemoveDistributionGroups -Policy “Default Role Assignment Policy”

Once the script completes, you will want to configure the Default Role Assignment Policy in Permissions/User Roles as shown below.  Log into the EAC with Organization Management rights and click Permissions > User Roles and edit the Default Role Assignment Policy.























By default, all three sub-items will be checked.  Clear the checkbox for roles you want to assign and clear the ones you don’t want to give, then click Save. The example above allows all users to edit and remove distribution groups where they are the Owner.  Users are unable to modify or delete groups they do not own.



The checkbox for MyDistributionGroupMembership allows users to add or remove themselves from distribution groups that allow it.



Users can manage distribution groups from the Global Address List in Outlook or from Options > Groups in Outlook Web App.


Cisco Offers Free Nexus 1000V Integrated Switch for Hyper-V

Hyper-V 3.0 on Windows Server 2012 offers a new feature called an extensible virtual switch.  This feature allows you to replace the Windows integrated virtual switch in Hyper-V with a third-party switch, such as the Cisco 1000V.  You can get a quick overview of Hyper-V extensible virtual switches here.

The Cisco 1000V virtual switch provides many advanced capabilities to Hyper-V VMs such as advanced switching (private VLANs, ACLs, PortSecurity, and Cisco vPath), security, monitoring, and manageability.  Best of all it’s free to download here!


The following information comes from Cisco’s Cisco Nexus 1000V Switch for Microsoft Hyper-V website:

Features and Capabilities

The Cisco Nexus 1000V Switch for Microsoft Hyper-V:
  • Offers consistent operational experience across physical, virtual, and mixed hypervisor environments
  • Reduces operational complexity through dynamic policy provisioning and mobility-aware network policies
  • Improves security through integrated virtual services and advanced Cisco NX-OS features


The following table summarizes the capabilities and benefits of the Cisco Nexus 1000V Switch for Microsoft Hyper-V.
CapabilitiesFeaturesOperational Benefits
Advanced SwitchingPrivate VLANs, Quality of Service (QoS), access control lists (ACLs), portsecurity, and Cisco vPathGet granular control of virtual machine-to-virtual machine interaction.
SecurityDynamic Host Configuration Protocol (DHCP) Snooping, Dynamic Address Resolution Protocol Inspection, and IP Source GuardReduce common security threats in data center environments.
MonitoringNetFlow, packet statistics, Switched Port Analyzer (SPAN), and Encapsulated Remote SPANGain visibility into virtual machine-to-virtual machine traffic to reduce troubleshooting time.
ManageabilitySimple Network Management Protocol, NetConf, syslog, and other troubleshooting command-line interfacesUse existing network management tools to manage physical and virtual environments

The Cisco Nexus 1000V won the Best of Microsoft TechEd 2013 award in the Virtualization category.



If you’re interested in learning more about the Nexus 1000V extensible switch, I encourage you to view the following 2 hour session on CiscoLive365: BRKVIR-2017. – The Nexus 1000V on Microsoft Hyper-V: Expanding the Virtual Edge (2013 London).  Free registration is required.  Bennial also posted the PowerPoint slide deck for this session on ScribD here.