How-to Allow End Users To Manage Exchange 2010 (SP1) Distribution Groups

On June 14, 2011, in How-to, by Cubert aka (Cube Dweller)

Distribution Groups in Exchange 2010 are managed from the OWA or what it’s now know as Outlook Web App. Owners of a distribution list can manage there own distribution list if you have correctly set the feature RBAC (Role Based Access Control)in Exchange 2010.  As you can guess Microsoft Exchange Server 2010 now comes with the new RBAC (Role Based Access Control) permissions model. This new permissions model allows you to define both a broad, as well as a more granular assignment of permissions.

While you can perform granular assignments in Exchange 2010, there are also Predefined Role Groups that you can use if you want an easier way of assigning permissions to end users. Below I will walk you through a very quick and easy way to provide end users the ability to modify distribution groups.

First we will need to create a new custom role based on the default ‘MyDistributionGroups’ Role. To do this we will use the Exchange Management Shell in Exchange 2010 aka Powershell with Exchange Modules.

Open up the Exchange Shell and copy and paste the following:

New-ManagementRole -Name MyUsersDistributionGroups -Parent MyDistributionGroups –Description “This role enables individual users to view distribution groups and add or remove members to distribution groups they own.”

The above cmd  made a new role based on MyDistributionGroups, we need to make change to this new role because we don’t want all the same settings as MyDistributionGroups.

Next we need to modify the new role.

Remove-ManagementRoleEntry MyUsersDistributionGroups\Set-Group -Confirm:$false
Remove-ManagementRoleEntry MyUsersDistributionGroups\Remove-DistributionGroup -Confirm:$false
Remove-ManagementRoleEntry MyUsersDistributionGroups\New-DistributionGroup -Confirm:$false

Then we set the DistributionGroup parameters:

set-ManagementRoleEntry MyUsersDistributionGroups\Set-DistributionGroup -parameter Confirm ,ErrorAction ,ErrorVariable ,Identity ,MailTip ,MailTipTranslations , OutBuffer ,OutVariable ,WarningAction ,WarningVariable ,WhatIf

Then finally we need to apply this role to our users. For all people to get these setting you must add the new role to the existing “Default Role Assignment Policy” which is applied to every one.

New-ManagementRoleAssignment -Role MyUsersDistributionGroups -Policy “Default Role Assignment Policy”

Once that’s done you must add the user who will manage group to the distribution list so the user can modify the members of the Distribution Group. This is done inside the Exchange Management Console under recipients / Distribution Groups.  Find the Group you want to allow the user to manage and place them in the “Managed By” box under the Group Information Tab.


That’s It!!!  Now we let the user login to the Outlook Web App and make  modifications to the distribution groups the now own. To make edits they should login and select the options menu then select all options. It will display a menu that will provide access to Groups. Select groups and you should see 2 lists, The 1st list is all groups your a member of and the 2nd list is all groups you own or manage. Double click the group name to manage that group and its memberships.



I hope this helps someone else get group management working after a upgrade from Exchange 2007, and in less time than it took me.



10 Responses to “How-to Allow End Users To Manage Exchange 2010 (SP1) Distribution Groups”

  1. ZigRony says:

    Wow, dude I need that.

    Thanks and kudos!!

    You are the ultimate IT guy!!

  2. Dave says:

    Great article, thanks!

    The ability to manage groups doesn’t appear to apply to groups that have the “Hide Group from Exchange Address Lists” option ticked. Is there anyway around this? I’ve tried manually searching for a group name but if that option is ticked it won’t show up, even for the user nominated as the mangager.

  3. Lee says:

    Hi thanks for that it’s just about what I need. How can you do the above but allow end users to add external contacts into the distribution lists without the need for an administrator to add the external address to a contact in AD?

  4. ITgirl says:

    Wish this was information on how to have this work in Outlook, not the web app… and for join/leave Open Distribution Group by any user.

    I find it rather useless to set DG to be Open and the users can not join or leave in Outlook. And in all sincerity I find it ridiculous to have to fire up web app to join or leave those Open DG’s.

  5. Steffen says:

    Hi ITGirl

    The users added to the ‘managed by’ also has the ability to manage the distlist from within outlook.

    The end-users will have to use the ECP to request or remove themselves

  6. Tom Dubowski says:

    This helped me, thanks a bunch!

  7. Silvia Fernandes says:

    Absolutely Perfect!! Been banging my head all morning and then found this! Thanks so much. 🙂

  8. Mason says:

    Worked perfect! Great step by step.

  9. Patrick says:

    I have the same question as Lee, since it was not answered here. How can you do the above but allow end users to add external contacts into the distribution lists without the need for an administrator to add the external address to a contact in AD?

Leave a Reply