How to give permissions to users to manage Universal Security Distribution Lists (must use RBAC)

Posted: April 12, 2016 in Windows

Users on Exchange 2010 who try to update or create a Distribution List may get the following error message:

"Changes to the public group membership cannot be saved. You do not have sufficient permission to perform this operation on this object.”


Usually, it’s because they don’t have the permissions (reminder: RBAC only for Exchange 2010 users) to create or modify security groups).

To assign these permissions to a security group in which you add users (recommended) or to a single user:

1 – First create a security group

2 – All the DL owners should be member of this group ( This way you do not have to assign permissions to individual users, it will be easier to manage permissions Only for the required users, )

3 – Assign permissions to security group (recommended)

  • New-managementroleassignment –role “Security group creation and membership” –securitygroup “DL Owners”




or to assign the roles directly to user

  • New-managementroleassignment –role “Security group creation and membership” –User “username”



5 – Add all the users who needs to manage DL’s to the security group

6 – Wait for AD Replication

7 – now users will be able to manage Mail enabled Security DL using outlook

8 – Any helpdesk users can use Exchange management shell and manage DL membership

9 – logout and login to their outlooks and try to change the Security group membership


# get-managementroleassignment -role "Security group creation and membership"


#Command Remove ManagementRoleAssignment


CMIIW, Thanks Smile

Leave a Reply

Your email address will not be published. Required fields are marked *