How to give permissions to users to manage Universal Security Distribution Lists (must use RBAC)

Posted: April 12, 2016 in Windows

https://blogs.technet.microsoft.com/samdrey/2013/10/01/exchange-20102013-how-to-give-permissions-to-users-to-manage-universal-security-distribution-lists-must-use-rbac/

Users on Exchange 2010 who try to update or create a Distribution List may get the following error message:

"Changes to the public group membership cannot be saved. You do not have sufficient permission to perform this operation on this object.”

clip_image001

Usually, it’s because they don’t have the permissions (reminder: RBAC only for Exchange 2010 users) to create or modify security groups).

To assign these permissions to a security group in which you add users (recommended) or to a single user:

1 – First create a security group

2 – All the DL owners should be member of this group ( This way you do not have to assign permissions to individual users, it will be easier to manage permissions Only for the required users, )

3 – Assign permissions to security group (recommended)

  • New-managementroleassignment –role “Security group creation and membership” –securitygroup “DL Owners”

clip_image003

image

clip_image004

or to assign the roles directly to user

  • New-managementroleassignment –role “Security group creation and membership” –User “username”

clip_image006

image

5 – Add all the users who needs to manage DL’s to the security group

6 – Wait for AD Replication

7 – now users will be able to manage Mail enabled Security DL using outlook

8 – Any helpdesk users can use Exchange management shell and manage DL membership

9 – logout and login to their outlooks and try to change the Security group membership

 

# get-managementroleassignment -role "Security group creation and membership"

clip_image002[4]

#Command Remove ManagementRoleAssignment

clip_image002

CMIIW, Thanks Smile

Leave a Reply

Your email address will not be published. Required fields are marked *