Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2
Topic Last Modified: 2012-07-23
By default, all users in your Microsoft Exchange Server 2010 organization can create and manage distribution groups from their e-mail client. There are several ways to turn off a user's ability to create or manage distribution groups:
- Create an assignment policy and assign it to the users who
shouldn't be allowed to create or manage distribution groups.
- Remove the My Distribution Groups and the My Distribution Group
Membership roles from the default management role assignment
policy.
The procedures in this topic assume that you haven't changed the name of the My Distribution Groups and My Distribution Group Membership management roles.
Looking for other management tasks related to distribution groups? Check out Managing Distribution Groups.
Prerequisites
Use the Shell to create a role assignment policy to apply to specific users
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Role groups" entry in the Role Management Permissions topic.
 Note: |
|---|
| You can't use the EMC to create a role assignment policy to apply to specific users. |
You can create a policy that doesn't contain the My Distribution Group and My Distribution Group Membership roles and apply that role to specific users in your organization. Those users won't be able to create or manage distribution groups.
- Create a role assignment policy. This example creates the
policy No Distribution Group Management.
Copy CodeNew-RoleAssignmentPolicy "No Distribution Group Management"
- Use a variable to get all of the roles assigned to the default
role assignment policy.
Copy Code$Roles = Get-ManagementRoleAssignment -RoleAssignee "Default Role Assignment Policy"
Note:The default role assignment policy that's installed with Exchange 2010 is named Default Role Assignment Policy. If you change the name of that policy or if you have a different default policy, you can locate the default policy by running the following command.
Get-RoleAssignmentPolicy | Where { $_.IsDefault -eq $True } - Add all of the roles assigned to the default assignment policy
to the new role assignment policy, excluding the ones that contain
the word distribution.
Copy Code$Roles | Where {$_.Role -NotLike "*Distribution*" } | New-ManagementRoleAssignment -Policy "No Distribution Group Management" - Apply the No Distribution Group Management assignment policy to
the appropriate users. This example applies the No Distribution
Group Management role assignment policy to all mailboxes that have
the CustomAttribute1 value set to Contract Employee.
Copy CodeGet-Mailbox -Filter {CustomAttribute1 -eq "Contract Employee"} | Set-Mailbox -RoleAssignmentPolicy "No Distribution Group Management"
For detailed syntax and parameter information, see the following topics:
Use the Shell to remove the My Distribution Groups and the My Distribution Groups Membership roles from the default management role assignment policy
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Role groups" entry in the Role Management Permissions topic.
| Note: |
|---|
| You can't use the EMC to remove the My Distribution Groups and the My Distribution Group Membership roles from the default management role assignment policy. |
Removing the My Distribution Groups and My Distribution Group Membership roles from the default role assignment policy is the easiest way to remove this permission from most users in your organization. However, this doesn't affect recipients who have been assigned a different role assignment policy.
| Note: |
|---|
| By creating a default role assignment policy, you can save the master settings and create additional policies from it. |
- Create a role assignment policy. This example creates the
policy No Distribution Group Management.
Copy CodeNew-RoleAssignmentPolicy "No Distribution Group Management"
- Use a variable to get all of the roles assigned to the Default
Role Assignment Policy.
Copy Code$Roles = Get-ManagementRoleAssignment -RoleAssignee "Default Role Assignment Policy"
Note:The default role assignment policy that's installed with Exchange 2010 is named Default Role Assignment Policy. If you change the name of that policy or if you have a different default policy, you can locate the default policy by running the following command.
Get-RoleAssignmentPolicy | Where { $_.IsDefault -eq $True } - Add all of the roles assigned to the default assignment policy
to the new role assignment policy, excluding the ones that contain
the word distribution.
Copy Code$Roles | Where {$_.Role -NotLike "*Distribution*" } | New-ManagementRoleAssignment -Policy "No Distribution Group Management" - Make the new role assignment policy the default policy so that
it will apply to all users in the organization.
Copy CodeSet-RoleAssignmentPolicy "No Distribution Group Management" -IsDefault
- Rename the old default role assignment policy something more
appropriate. This example renames it Old_Default Role Assignment
Policy.
Copy CodeSet-RoleAssignmentPolicy "Default Role Assignment Policy" -Name "Old_Default Role Assignment Policy"
For detailed syntax and parameter information, see the following topics: