BACKGROUND
In Exchange 2010, if you make an end user a distribution list owner they are capable of managing that list via OWA. However, the default MyDistributionGroups
management role that gets assigned gives too many rights. The user would be allowed to not only manage their group but create and delete other distribution groups. That role provisions the user to be capable of running Set-DistributionGroup; Set-Group; Set-DynamicDistributionGroup; New-DistributionGroup
among other commands to manage members.
There are plenty of articles circling around on how to create a new default management role that does not include the New-DistributionGroup
and Remove-DistributionGroup
commands.
However, this still allows the group owner to modify settings like the DisplayName
and Alias
. This could lead to a user creating a new email address for the distribution list and causing inadvertent issues.
In testing, I have created a management role that is based off the original MyDistributionGroups
role, but does not include the commands New-DistributionGroup
, Remove-DistributionGroup
, and Set-Group
. This allows the group owner to still manage the group, not delete or create new groups, and not change the Active Directory side settings such as the DisplayName
and add or remove additional owners.
Unfortunately, it still allows them to change the Alias
.
QUESTION
Does anyone know of a way to restrict group owners in Exchange 2010 so that they can manage members but not change properties like the Alias
?