Wednesday, 3 July 2013

Distribution Group Owner cannot manage group after migrating from 2007 to 2010


Recently , we moved from 2007 to 2010 environment.
After migration we found that DL owner cannot modify member in DL.

Its shows following Error Message.


 
 
 
 
We check and find that permissions has no nothing to do with it, as it were working fine before migration.
Solution for above problem is Role Assignment Policy.

Default policy in 2010 does not allow users to modify membership even if user is owner of DL.
You can either change  the existing  Role Assignment Policy or create a new assignment policy and assign it to all DL owner in organization. You need to use Exchange PowerShell or ECP to achieve it.

Login to ECP using  admin account. Change the default role assignment policy to include “MyDistribution Groups” (Roles & Audit à UserRoles)

 
Now owner can change membership. 
This permissions also allow users to create new DL through ECP, which is not desirable in some organization. What if only permission to modify member is required?

You need to use PowerShell for this.
We will create New Management Role with modified permissions suitable to organization  and assign it to default Policy.

1)      Find the default Role assignment policy.
Use  below cmd:
Get-RoleAssignmentPolicy | where {$_.IsDefault –like “True” } 

2)      Create New management Role:
We will make use of inbuilt management role “MyDistributionGroups” and modify the role entry.
Get the   Default Role entry  of “MyDistributionGroups”.

Here, first column shows role entry, some of which are not required .

Use below cmd to create new management role:

New-ManagementRole  –Name “NewDistributionGroups” –parent  “MyDistributionGroups”

New management role will inherit all role entry of “MyDistributionGroups”.

To allow user to  modify memebership, only Add-DistributionGroupMember and remove-DistributionGroupMember   are  required,  we need to remove all  others role entry.
Remove excess role entry using below cmd :

Get-ManagemenRoleEntry “NewDistributionGroups\*” | where{ $_.name –like “Set-distributionGroup” } | remove-managementroleentry  -whatif

To confirm the change, run cmd without –whatif :
Get-Managementroleentry “NewDistributionGroups\*” | where{ $_.name –like “set-distributionGroup” } | remove-managementroleentry 

Like wise, use same cmd to remove  all unwanted role  entry.

After removing  excess role entry, confirm the changes  in “NewDistributionGroups”

 
Now to add this Management Role “New DistributionGroups” to Default  Role Assignment Policy
Use below cmd:
New-ManagementRoleAssignment   -Role”NewDistributionGroups” –Policy “Default Role Assignment Policy”

After this , user will be able to change membership of Distribution Group .

 

 

 

 

 

 

 

 
Posted by at No comments:
Subscribe to: Posts (Atom)