Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

Topic Last Modified: 2012-07-23

By default, all users in your Microsoft Exchange Server 2010 organization can create and manage distribution groups from their e-mail client. There are several ways to turn off a user's ability to create or manage distribution groups:

The procedures in this topic assume that you haven't changed the name of the My Distribution Groups and My Distribution Group Membership management roles.

Looking for other management tasks related to distribution groups? Check out Managing Distribution Groups.

Prerequisites

Use the Shell to create a role assignment policy to apply to specific users

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Role groups" entry in the Role Management Permissions topic.

Note:
You can't use the EMC to create a role assignment policy to apply to specific users.

You can create a policy that doesn't contain the My Distribution Group and My Distribution Group Membership roles and apply that role to specific users in your organization. Those users won't be able to create or manage distribution groups.

  1. Create a role assignment policy. This example creates the policy No Distribution Group Management.

    Copy Code
    New-RoleAssignmentPolicy "No Distribution Group Management"
    
  2. Use a variable to get all of the roles assigned to the default role assignment policy.

    Copy Code
    $Roles = Get-ManagementRoleAssignment -RoleAssignee "Default Role Assignment Policy"
    
    Note:
    The default role assignment policy that's installed with Exchange 2010 is named Default Role Assignment Policy. If you change the name of that policy or if you have a different default policy, you can locate the default policy by running the following command.

    Get-RoleAssignmentPolicy | Where { $_.IsDefault -eq $True }
  3. Add all of the roles assigned to the default assignment policy to the new role assignment policy, excluding the ones that contain the word distribution.

    Copy Code
    $Roles | Where {$_.Role -NotLike "*Distribution*" } | New-ManagementRoleAssignment -Policy "No Distribution Group Management"
    
  4. Apply the No Distribution Group Management assignment policy to the appropriate users. This example applies the No Distribution Group Management role assignment policy to all mailboxes that have the CustomAttribute1 value set to Contract Employee.

    Copy Code
    Get-Mailbox -Filter {CustomAttribute1 -eq "Contract Employee"} | Set-Mailbox -RoleAssignmentPolicy "No Distribution Group Management"
    

For detailed syntax and parameter information, see the following topics:

Use the Shell to remove the My Distribution Groups and the My Distribution Groups Membership roles from the default management role assignment policy

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Role groups" entry in the Role Management Permissions topic.

Note:
You can't use the EMC to remove the My Distribution Groups and the My Distribution Group Membership roles from the default management role assignment policy.

Removing the My Distribution Groups and My Distribution Group Membership roles from the default role assignment policy is the easiest way to remove this permission from most users in your organization. However, this doesn't affect recipients who have been assigned a different role assignment policy.

Note:
  By creating a default role assignment policy, you can save the master settings and create additional policies from it.
  1. Create a role assignment policy. This example creates the policy No Distribution Group Management.

    Copy Code
    New-RoleAssignmentPolicy "No Distribution Group Management"
    
  2. Use a variable to get all of the roles assigned to the Default Role Assignment Policy.

    Copy Code
    $Roles = Get-ManagementRoleAssignment -RoleAssignee "Default Role Assignment Policy"
    
    Note:
    The default role assignment policy that's installed with Exchange 2010 is named Default Role Assignment Policy. If you change the name of that policy or if you have a different default policy, you can locate the default policy by running the following command.

    Get-RoleAssignmentPolicy | Where { $_.IsDefault -eq $True }
  3. Add all of the roles assigned to the default assignment policy to the new role assignment policy, excluding the ones that contain the word distribution.

    Copy Code
    $Roles | Where {$_.Role -NotLike "*Distribution*" } | New-ManagementRoleAssignment -Policy "No Distribution Group Management"
    
  4. Make the new role assignment policy the default policy so that it will apply to all users in the organization.

    Copy Code
    Set-RoleAssignmentPolicy "No Distribution Group Management" -IsDefault
    
  5. Rename the old default role assignment policy something more appropriate. This example renames it Old_Default Role Assignment Policy.

    Copy Code
    Set-RoleAssignmentPolicy "Default Role Assignment Policy" -Name "Old_Default Role Assignment Policy"
    

For detailed syntax and parameter information, see the following topics: