Applies to: Exchange Server 2010 SP3
Topic Last Modified: 2012-03-07
Microsoft Exchange Server 2010 provides a new feature to manage distribution groups. This feature lets your users join existing groups, manage some of the properties of groups that they own, manage their membership in groups that they own, and even create and remove groups.
Manage Distribution Groups
Microsoft Exchange Server 2010 now offers users the ability to manage distribution groups with more control than that provided by Microsoft Office Outlook 2007. This new feature lets your users join existing groups, manage some of the properties of groups that they own, manage membership in groups that they own, and even create and remove groups.
By default, this feature is turned off. To turn on this feature, use the Exchange Control Panel (ECP) to assign the MyDistributionGroups RBAC role to the Default Role Assignment Policy.
Although some customers want their users to have the ability to create and remove distribution groups on this role, the control that is offered by this new feature may be more than you want to provide the users on your network.
For example, you may want to modify the functionality of this feature to meet any of the following goals:
- Let users manage distribution groups they own.
- Not let users be able to create distribution groups.
- Not let users be able to remove distribution groups, including
those that they own.
To help you change the functionality of the new feature, use the ManageGroupManagementRole.ps1 script. This script is available from the TechNet Script Center. To use this script, follow these steps:
- Obtain the script by visiting the following TechNet Script
Center Web site: Manage-GroupManagementRole.ps1.
- Copy the contents of the script to a text file on the computer
on which you want to run it, and then save the file by using the
following filename: Manage-GroupManagementRole.ps1.
- At an Exchange PowerShell command prompt, run the following
command: Manage-Groupmanagmentrole.ps1 -creategroup
–removegroup.
This combination of switches makes the changes that are described in the example mentioned earlier. When the script is finished running, your users will be able to manage distribution groups, but not create or remove them. When you run the script, the script performs the following actions:
- Creates a new RBAC role that is a child of the
MyDistributionGroups Role.
Removes the remove-distributiongroup cmdlet and the new-distributiongroup cmdlet from the role that you just created.
Assigns the new role to the Default Role Assignment Policy.
For more information about how to use this script, examine the contents of the script file. Or, run the script without switches. Each step that the script takes is documented in the script. You can extract from the script just what you require to change the functionality of the manage distribution groups feature. The script is designed to be flexible. If you run the script by using the default settings, you get a new role and a new role assignment.
How to Use Groups to Manage Groups in Exchange 2010
In Exchange 2010, distribution groups cannot be managed by groups; only individual users can manage groups. This behavior differs from Microsoft Exchange Server 2003, in which you use groups to manage a distribution group. In Exchange 2003, group ownership is handled at a different level. If you move mailboxes from Exchange 2003 to Exchange 2010, members of a group that managed a distribution group in Exchange 2003 can no longer modify the group in Exchange 2010.
The Set-DistributionGroupOwners.ps1 script lets you work around this changed behavior. The script enables you to simulate group ownership of a distribution group in Exchange 2010.
You can run the script in the following modes, depending on the switches that you use together with the script.
- Mode 1: Set Ownership for a particular distribution group.
Modifications to the ManagedBy attribute are not set at this
time. Instead, the script modifies a custom attribute to obtain the
information it will require later to set the ManagedBy
attribute.
- Mode 2: Modify the ManagedBy attribute of a specific
distribution group so that the members of either a security group
or a distribution group can manage the group.
- Mode 3: Automate the process. This mode is designed to be run
as a scheduled task and to make sure that individual members of a
group have ownership of the distribution group that they are set to
own. Use this mode if you prefer to automate the process and,
perhaps, run it nightly to find any changes to security group and
distribution group membership.
Important: |
---|
Windows Server 2008 R2 is required to run the Set-DistributionGroupOwners.ps1 script. The script does not have to be run on a server that’s running Exchange Server. However, the Exchange management tools must be installed on the computer on which you run the script. |
To run the Set-DistributionGroupOwners.ps1 script, follow these steps:
- Visit the Script Center, and then download
Set-DistributionGroupOwners.txt from the following Web page:
Set-DistributionGroupOwners.
- Change the file name extension from .txt to .ps1.
The filename should now be
Set-DistributionGroupOwners.ps1.
- By default, the script populates the CustomAttribute5
field by using the Distinguished Name (DN) of the group. The DN is
specified in the ManagedBy attribute of the distribution
group that you want to manage. You can change the default behavior
to use one of the 15 custom attributes in the default schema.
Determine which custom attribute works in your environment. To
change the custom attribute, follow these steps:
- Open the Set-DistributionGroupOwners.ps1 file in Notepad.
- Locate the following text: $dn_storage ="CustomAttribute5".
- Change CustomAttribute5 to the custom attribute that you
want to use.
- Save and then close the Set-DistributionGroupOwners.ps1
file.
- Open the Set-DistributionGroupOwners.ps1 file in Notepad.
- Determine which of the following modes you want to use to run
the script.
- Mode 1 - Set Ownership of a Group In
this mode, run the script together with the
–DistributionGroup and –GroupOwner parameters.
Specify the distribution group (-DistributionGroup) and the group
that you want to manage it (-GroupOwner). This resets the DN of the
owning group (as specified in –GroupOwner) to the custom
attribute for the Distribution Group (as specified in
–DistributionGroup).
- Mode 2 - Modify the ManagedBy attribute for one
Group Mode 2 or Mode 3 don’t work until you
set the value of the customer attribute to the DN of the owning
group. If you have already run the Script in Mode 1, Mode 2
configures the ManagedBy attribute for a single group. To
run the script in Mode 2, specify only the
–DistributionGroup parameter, and list the DL that you want
to have processed.
- Mode 3 – Run the Script as a Scheduled Task to look all new
modifications to Group Ownership When you run
the script without switches, the script searches the directory in
Active Directory Domain Services for all groups that have the
defined custom attribute set to a DN. Then, it processes all the
groups as in Mode 2. The script is designed to be run in this mode
as either a one-off kind of operation for which you know updates
are needed or as a scheduled task to keep everything in sync. A key
point is that when the script populates the ManagedBy
attribute, it overwrites the existing values by using the current
members of the owning group.
- Mode 1 - Set Ownership of a Group In
this mode, run the script together with the
–DistributionGroup and –GroupOwner parameters.
Specify the distribution group (-DistributionGroup) and the group
that you want to manage it (-GroupOwner). This resets the DN of the
owning group (as specified in –GroupOwner) to the custom
attribute for the Distribution Group (as specified in
–DistributionGroup).
For more information about custom attributes, see Understanding Custom Attributes.
For more information about managing distribution groups, see Managing Distribution Groups.