Enable users to manage distribution groups without new- or remove- Cmdlets using Management roles

2011-11-09 Leave a Comment

In this post I will show you how to create a management role and assign it to a group. We will remove the new- and remove Cmdlets from the Management role and make sure that it works. This will enable the users to manage distribution groups without the permission to create or remove any distribution groups.

You might want to give the users permission to manage the groups they are managers of without the possibility to create new groups or remove current groups. This will give you a more controlled distribution group management without new groups popping up. One customer of mine use a distribution group administrator for each department that is instructed and responsible for creation and removal of groups concerning that users department.

The Management role

The first thing we need to do is to create a new Management Role. We do this since we do not want to edit a built-in management role. What we can do, is base our new Management Role on one of the built-in Roles, by doing that we will populate our new Role with the same Management Roles Entries.

To create a new Management Role and use the following cmdlet:
New-ManagementRole -Name "MyDistributionGroupsAdmins" -Parent MyDistributionGroups

distgroups01

Next we will remove the new- and remove-.cmdlets from our new Management Role. But first we will check the cmdlets:
Get-ManagementRoleEntry "MyDistributionGroupsAdmins\New-*"

When we a re sure that these cmdlets are the once we want to remove run the following cmdlet:
Get-ManagementRoleEntry "MyDistributionGroupsAdmins\New-*" | Remove-ManagementRoleEntry

distgroups02

We will do the same for the Remove- cmdlets:
Get-ManagementRoleEntry "MyDistributionGroupsAdmins\Remove-DistributionGroup

We only want to remove one of the cmdlets:
Get-ManagementRoleEntry "MyDistributionGroupsAdmins\Remove-DistributionGroup” | Remove-ManagementRoleEntry

distgroups03

Now we have a new Management Role without the New- and Remove- cmdlets. Next we want to assign the Role to our users is some way. I will explain three different ways of doing this.

Assignment using Management Role Group

When we use this method we will create a Role Group, add members and managers to the group and add our previously created Management Role to the Group. A Management Role Group also includes a Universal Security Group that s created during the process.

I am not going to go through exactly how Management Role Groups work , more information on this can be found here.

When creating the Role Group use the following command:
New-RoleGroup -Name "Distribution Group Managers" -Roles "MyDistributionGroupsAdmins" -Members Test10, Test11,Test12 -ManagedBy Test12

distgroups04

This creates a new Role Group, adds the users Test10 and Test11 as members and the user Test12 as manager. Test12 will get both the rights that the Role Group incudes and he will have the permission to manage the group.

To be able to confirm that our configuration works we need to create a Distribution Group and set user Test12 as owner, I use the following command to achieve this:
New-DistributionGroup -Name "Test Group 1000" -OrganizationalUnit "sundis.local/Test/users" -SAMAccountName "TestGroup1000" -Type "Distribution" -ManagedBy Test12

distgroups05

Now we can log on to the ECP as our manager, Test12 in my case, and see if our configuration work. Open ECP, log in and navigate to Groups. Select the group you want to manage in the right column Public Groups I Own and click Details or double click it.

distgroups07

Add a user by expanding Membership and click Add.

distgroups08

Select the mailboxes you want to add to the group, click Add and Ok.

distgroups09

Check that your changes looks ok and then click Save.

distgroups10

You should now be back at ECP and our test is finished and successful.

Assignment using a new Management Role Assignment Policy

The second option I am going to explain is the use of a Management Role Assignment Policy. Using a policy enable you to group a number of Management Roles together to a policy and configure mailboxes to use this policy. Again, I will not do any deep dive in Management Role Assignment Policies, more information on this can be found here.

We will use the same Management Role as we created above and start with creating a new Policy. Note that we also include a role called MyBaseOptions. If we leave this role out it will prevent users who are assigned this policy from using ECP and OWA options. Use the cmdlet below to create the policy:
New-RoleAssignmentPolicy "Distribution Group Admins" -Roles MyBaseOptions, MyDistributionGroupsAdmins

distgroups11

If you want to make this Policy default add –IsDefault as in the following example:
New-RoleAssignmentPolicy "Distribution Group Admins" -Roles MyBaseOptions, MyDistributionGroupsAdmins –IsDefault

When the Policy is created you can add it to a mailbox with the following cmdlet:
Set-Mailbox Test10 -RoleAssignmentPolicy "Distribution Group Admins"

And  a simple Get-Mailbox to check the results:
Get-Mailbox Test10 | fl Role*

distgroups12

Again, lets check this using the ECP for mailbox Test10. For this test I create a new Distribution Group called Test Group 1001 and add Test 10 as manager using the following cmdlet:
New-DistributionGroup -Name "Test Group 1001" -OrganizationalUnit "sundis.local/Test/users" -SAMAccountName "TestGroup1001" -Type "Distribution" -ManagedBy Test10

distgroups14

In ECP, navigate to Groups. Select the group you want to manage in the right column Public Groups I Own and click Details or double click it.

distgroups15

Add a user by expanding Membership and click Add.

distgroups16

Select the mailboxes you want to add to the group, click Add and Ok.

distgroups17

Review the changes you have made and click Save when finished.

distgroups18

This will take you back to ECP and we are finished with this part.

Assignment by customizing the Default Management Role Assignment Policy

Last but not least we will add our Role to  the Default Management Role Assignment Policy. To achieve this we create a new Management Role Assignment by running this cmdlet:
New-ManagementRoleAssignment -Name "Default Role Assignment Policy – MyDistributionGroupsAdmins" -Role MyDistributionGroupsAdmins -Policy "Default Role Assignment Policy"

distgroups13

Now all the mailboxes with the Default Role Assignment Policy configured will have the ability to manage the distribution Groups they are managers for. Since I like screenshots I will make sure this is ok. First create a new Distribution Group:
New-DistributionGroup -Name "Test Group 1002" -OrganizationalUnit "sundis.local/Test/users" -SAMAccountName "TestGroup1002" -Type "Distribution" -ManagedBy Test11

distgroups19

Let’s also make sure that the mailbox Test11 have the Default Role Assignment Policy set:
Get-Mailbox Test11 | fl Role*

distgroups20

Now we can log in to ECP and make sure that we can manage Test Group 1002. Select the group you want to manage in the right column Public Groups I Own and click Details or double click it.

distgroups21

Add a user by expanding Membership and click Add.

distgroups22

Select the mailboxes you want to add to the group, click Add and Ok.

distgroups23

Review the changes you have made and click Save when finished.

distgroups24

All done, the Default Policy is altered and tested.

I hope you like the post and find it useful. Thanks for reading and let me know if you have any questions!

Advertisement

Filed under Exchange 2010 Tagged with , , , , , , , , , , ,

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

Follow

Get every new post delivered to your Inbox.