How to Configure Granular Permissions to End Users for Distribution Group Management

Exchange Online in Office 36, Exchange 2013, and Exchange 2010 offer end users the ability to create, edit, and delete Exchange distribution groups in the Global Address List.  This feature is a role assignment called MyDistributionGroups in the User Role’s Default Role Assignment Policy and by default it is not enabled.

User’s Default Role Assignment Policy
If you enable this role by selecting the checkbox and saving the policy, all users can create, edit, and delete distribution groups that they own (the user is listed in the Owners multivalued property of the group).

But what if you only only want users to be able to edit their own distribution groups? Or maybe you want them to only be able to edit and delete their own groups? Or maybe only add and edit their own groups?  The cmdlets below will configure these options for the Default Role Assignment Policy.

Run the following cmdlets in an Exchange Management Shell session:

New-ManagementRole -Name CanEditDistributionGroups -Parent MyDistributionGroups
Remove-ManagementRoleEntry CanEditDistributionGroups\New-DistributionGroup -Confirm:$false
Remove-ManagementRoleEntry CanEditDistributionGroups\Remove-DistributionGroup -Confirm:$false

New-ManagementRole -Name CanCreateDistributionGroups -Parent MyDistributionGroups
Remove-ManagementRoleEntry CanCreateDistributionGroups\Remove-DistributionGroup -Confirm:$false

New-ManagementRole -Name CanRemoveDistributionGroups -Parent MyDistributionGroups
Remove-ManagementRoleEntry CanRemoveDistributionGroups\New-DistributionGroup -Confirm:$false

New-ManagementRoleAssignment -Role CanEditDistributionGroups -Policy “Default Role Assignment Policy”
New-ManagementRoleAssignment -Role CanCreateDistributionGroups -Policy “Default Role Assignment Policy”
New-ManagementRoleAssignment -Role CanRemoveDistributionGroups -Policy “Default Role Assignment Policy”

Once the script completes, you will want to configure the Default Role Assignment Policy in Permissions/User Roles as shown below.  Log into the EAC with Organization Management rights and click Permissions > User Roles and edit the Default Role Assignment Policy.























By default, all three sub-items will be checked.  Clear the checkbox for roles you want to assign and clear the ones you don’t want to give, then click Save. The example above allows all users to edit and remove distribution groups where they are the Owner.  Users are unable to modify or delete groups they do not own.



The checkbox for MyDistributionGroupMembership allows users to add or remove themselves from distribution groups that allow it.



Users can manage distribution groups from the Global Address List in Outlook or from Options > Groups in Outlook Web App.


Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>