How To Quickly Manage Groups With Groups In Exchange 2010
Article by Matt Abraham, Microsoft Premier Field Engineer.
A common issue with Exchange 2010 is that you are unable to allow a Distribution list to be managed by a “group”. This was changed by design in Exchange 2010 to allow greater separation of Active Directory and Exchange management using Split Permissions, a feature that a number of our customers asked for. A great workaround was created which enumerates a group and adds each member into the “Managed By” list in Exchange.This works brilliantly, but has some limitations. The main limitation is that after a Security Group’s membership is updated, either an Administrator has to run the Mode3 switch of the script, or a period of time has to pass until the script runs in Mode3 as a scheduled task.
For some users, this isn’t fast enough. There is however another way to achieve this.
You can use RBAC to create a security group that is allowed to manage permissions on a distribution group. By doing this, the membership is updated immediately, and any member of the security group will be able to manage the distribution group without waiting for the “managed by” attribute to be updated. There are a few limitations to this as well, which I will describe in a moment.
Let’s start by thinking what happens when a user tries to manage a Distribution List.
When Outlook attempts to make changes, these changes are sent to a CAS 2010 server (via the Address Book Service). The Address Book service will then run the corresponding PowerShell cmdlet (such as Add-DistributionGroupMember) based on the RBAC rights of the user making the change. If the user doesn’t have the correct RBAC rights, the command fails, and the error above is given.
So, an alternative method is to ensure that the user does have the correct rights.
The first step is to create a customised version of the MyDistributionGroups management role, with which we can scope with a management scope. To do this, we can take the “Distribution Groups” role group, and remove any unneeded commands.
This allows the MyDistManagers role to closely mirror the the MyDistributionGroups role. If we left these commands in place then the users would have greater permissions than we intended. Whilst this will not affect their abilities in Outlook, if they were to run Powershell, and connect to the Exchange environment, they may be able to do a lot more than we intended (such as deleting the distribution group).
get-managementrole "Distribution Groups" | New-ManagementRole "MyDistManagers"
get-managementrole "MyDistManagers" | get-managementroleentry | where {$_.name -like "Disable-distributionGroup"} | remove-managementroleentry -confirm:$false
get-managementrole "MyDistManagers" | get-managementroleentry | where {$_.name -like "enable-distributionGroup"} | remove-managementroleentry -confirm:$false
get-managementrole "MyDistManagers" | get-managementroleentry | where {$_.name -like "Get-ADServerSettings"} | remove-managementroleentry -confirm:$false
get-managementrole "MyDistManagers" | get-managementroleentry | where {$_.name -like "Get-AcceptedDomain"} | remove-managementroleentry -confirm:$false
get-managementrole "MyDistManagers" | get-managementroleentry | where {$_.name -like "Get-DomainController"} | remove-managementroleentry -confirm:$false
get-managementrole "MyDistManagers" | get-managementroleentry | where {$_.name -like "Get-DynamicDistributionGroup"} | remove-managementroleentry -confirm:$false
get-managementrole "MyDistManagers" | get-managementroleentry | where {$_.name -like "Get-MailUser"} | remove-managementroleentry -confirm:$false
get-managementrole "MyDistManagers" | get-managementroleentry | where {$_.name -like "Get-Mailbox"} | remove-managementroleentry -confirm:$false
get-managementrole "MyDistManagers" | get-managementroleentry | where {$_.name -like "Get-OrganizationalUnit"} | remove-managementroleentry -confirm:$false
get-managementrole "MyDistManagers" | get-managementroleentry | where {$_.name -like "Get-ResourceConfig"} | remove-managementroleentry -confirm:$false
get-managementrole "MyDistManagers" | get-managementroleentry | where {$_.name -like "Get-User"} | remove-managementroleentry -confirm:$false
get-managementrole "MyDistManagers" | get-managementroleentry | where {$_.name -like "New-DistributionGroup"} | remove-managementroleentry -confirm:$false
get-managementrole "MyDistManagers" | get-managementroleentry | where {$_.name -like "New-DynamicDistributionGroup"} | remove-managementroleentry -confirm:$false
get-managementrole "MyDistManagers" | get-managementroleentry | where {$_.name -like "Remove-DistributionGroup"} | remove-managementroleentry -confirm:$false
get-managementrole "MyDistManagers" | get-managementroleentry | where {$_.name -like "Remove-DynamicDistributionGroup"} | remove-managementroleentry -confirm:$false
get-managementrole "MyDistManagers" | get-managementroleentry | where {$_.name -like "Set-ADServerSettings"} | remove-managementroleentry -confirm:$false
get-managementrole "MyDistManagers" | get-managementroleentry | where {$_.name -like "Set-OrganizationConfig"} | remove-managementroleentry -confirm:$false
get-managementrole "MyDistManagers" | get-managementroleentry | where {$_.name -like "Write-AdminAuditLog"} | remove-managementroleentry -confirm:$false
This results in a new Management Role, which has the required management role entries to operate the Outlook Dialog box to add/remove distribution group members.
Now we need to do two more things to begin to manage Groups with Groups.
The first is to create a Management Scope, which will limit any permissions to a specific subset of objects. As we want to manage a Distribution Group, we can create a scope based on this group
For instance, we want to create a scope to manage the “Distribution@Company.com” distribution list. We can run the following command:
New-ManagementScope –Name “Scope to Manage Distribution@company.com” –recipientRestrictionFilter {PrimarySMTPAddress –eq Distribution@company.com}
We have our scope, so now we can join our Management Role with our management scope to allow another group “Managers@company.com” to manage this distribution group:
New-ManagementRoleAssignment -name "Group to manage Distribution@Company.com" -SecurityGroup Managers@company.com -role "MyDistManagers" -customrecipientwritescope "Scope to manage Distribution@company.com"
And now, members of “Managers@company.com” are allowed to manage the membership of Distribution@company.com using Outlook, and any changes to Managers@company.com will be reflected as soon as AD replication is complete, rather than after the Mode3 script has been run .
Please be aware that this method of managing groups has been tested only in my test lab, and as such should be thoroughly tested before use in your production environments. If you have a large number of groups, I would still suggest using the “Official” method from the Exchange Team Blog above. But, for a small number of groups that “have” to be manageable quickly, this is certainly an alternative that should work.
Plus, it’s a great way to think about how RBAC works under the hood!!