Giving Permissions to specific Distribution Group management for deparment secrety
Dear ALL
In our exchange 2010 environment we have multiple departmental distribution group.
We plan to give management of these distribution group members to each departmental secretary.
How can achieve this?
Kindly help
Ashraf
All very valid points!
The one thing I'd ask you to think about is whether or not you should change the default role assignment policy. If this is for a handful of users, create a new Role Assignment policy, tweak that (using the steps below) and then assign your new one
to these users that need to manage the DGs.
http://blogs.technet.com/b/rmilne/archive/2013/08/09/allow-users-to-manage-distribution-groups-without-creating-new-ones.aspx
Cheers,
Rhoderick
Microsoft Senior Exchange PFE
Blog:
http://blogs.technet.com/rmilne
Twitter: LinkedIn:
Facebook:
XING:
Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.
Similar Messages
-
Hello.
I began with the DPS. Is it possible to publish a magazine for a limited, specific target group? For example, in one department of a large company?
Or to the responsible for various services? If so, how should I do? Thank you for your help.Short answer is yes.
Click the request for consultation link in Digital Publishing Suite Help | DPS pricing options to receive a price estimate for the DPS license your project. -
Distribution Group manager can't modify group
Setup
MS Exchange 2010 version 14.3 (Build 123.4)
Distribution Group is a Mail Universal Distribution which has less than 20 members total
There are three managers in the "Managed By" listing. Of these two can modify the list, the third cannot. When the third manager tries to modify the list they get the following error:
The Public Group cannot be displayed. The connection to Microsoft Exchange is unavailable. Outlook must be online or connected to complete this action.
Note: The user is connected to the Exchange environment as evidenced by the "Connected to Microsoft Exchange" in the lower right portion of his Outlook 2010 window. He is also hardwired into the network,
ie no wireless connection. He tried the going in through OWA and got the same error as above.
Any ideas on what I can check to see why this manager cannot modify the list whereas the other two can?
ncHi ncouch55,
If there are multiple GCs in organization, We could refer to the following link to choose the closest GC for the specific user:
1). Click Start, and then click Run.
2). In the Open box, type regedit.exe, and then click OK.
3). Locate and then click the following key in the registry:
HKEY_CURRENT_USER\Software\Microsoft\Exchange\Exchange Provider
Note You may have to create the registry path.
4). On the Edit menu, click Add Value, and then add the following registry value:
Value name: GC Server
Data type: REG_SZ (string)
Value data: the FQDN of the closest GC server
5). Quit Registry Editor.
If the issue persist, we could clear manager on distribution group and re-grant permission to three manager.
If there are any questions regarding this issue, please be free to let me know.
Best Regard,
Jim -
Custom Distribution Group management role (manager excpeiton)
My organization is medium size with multiple support groups (15+) that each support a subset of users (350+). I want to create a management role that is scoped so each support group can manage the distribution groups in their respective OU space.
By manage I mean edit the group membership. I realize I can achieve this with AD permissions but I’d like to achieve this in a way that leverages RBAC so the support groups can use OWA. I also want to leverage RBAC\OWA because not all my support groups are
technical, some are office admins. Anyways, below is what I’ve tried in my lab scoped to one of my support groups.
Using the cmdlets below I’ve created a custom management scope, role and group. However, this does not work. While it lets my sales support group view and edit some random attributes on the group, it fails when they try to edit the group membership. In other
words, they can logon to OWA, click options\see all options\manage your organization\distribution groups\open the group\edit description etc. but when they select “Add…” under membership then select the user and hit ok\save they get the error “you don’t have
sufficient permissions. this operation can only be performed by a manger of the group”.
New-ManagementScope -Name “Sales Support DG MScope” -RecipientRestrictionFilter {RecipientType -eq "MailUniversalSecurityGroup"} -RecipientRoot “lab.com/sales”
New-ManagementRole -name “Sales Support DG MRole” -Parent "Distribution Groups"
New-RoleGroup -name “Sales “Sales Support DG MGroup” -Roles "Sales Support DG MRole" -CustomRecipientWriteScope "Sales Support DG MScope"
When I do as the error asks (i.e. add my support user as a manager of the group via the EMC), then my support user is able to edit the group's membership in OWA. The problem with this solution is that it would require me to add my support users to my role
group “Sales Support DG MGroup” AND as a manager of the DG and every DG that is created down the line. Not ideal. Any ideas, some RBAC magic I’m missing?
Below confirms by scope.
Get-Group -OrganizationalUnit “lab.com/sales” | ?{$_.RecipientType -eq "MailUniversalSecurityGroup"}
Name DisplayName SamAccountName GroupType
distro1 distro1 distro1 Universal, SecurityEnabled
distro2 distro2 distro2 Universal, SecurityEnabled
distro3 distro3 distro3 Universal, SecurityEnabled
On a side note, I realize by sourcing my management role off of distribution groups gives me more cmdlets\access than my support group needs (see below). I’m first just trying to get it to work :).
Get-ManagementRole “Sales Support DG MRole” | Get-ManagementRoleEntry | select name
Name
Add-DistributionGroupMember
Disable-DistributionGroup
Enable-DistributionGroup
Get-ADServerSettings
Get-AcceptedDomain
Get-DistributionGroup
Get-DistributionGroupMember
Get-DomainController
Get-DynamicDistributionGroup
Get-Group
Get-MailUser
Get-Mailbox
Get-OrganizationalUnit
Get-Recipient
Get-ResourceConfig
Get-User
New-DistributionGroup
New-DynamicDistributionGroup
Remove-DistributionGroup
Remove-DistributionGroupMember
Remove-DynamicDistributionGroup
Set-ADServerSettings
Set-DistributionGroup
Set-DynamicDistributionGroup
Set-Group
Set-OrganizationConfig
Update-DistributionGroupMember
Write-AdminAuditLogHello,
I understand that you have create custom management scope for each group and assigned a custom role to it.
But whenever user try to edit (add/remove membership ) ,it shows errors "you dont have sufficient permissions". I face similar problem when we move from 2007 to 2010, 2010 by default disabled editing options for Dl membership.
You can enable it by Graphic mode or powershell. Would suggest that you have created custom role, you follow powershell mode. I had written a blog on that.
Check below link. http://exchange2010cmd.blogspot.de/
You have created new management role “Sales Support DG MRole”, but you need to assign this role to users/administrators in your case through role assignment policy.
You can either use existing default policy or create new policy and assign this management role to it.
Use below cmd: New-ManagementRoleAssignment -Role “Sales Support DG MRole” –Policy “Default Role Assignment Policy”
NOTE: If you are creating new policy , place that name instead of default policy name".
I recommend you continue with defalut policy. After this check with any admin, he should have rights to edit membership.
Now, regarding your second concern, that your custon role has to many role entries.
You can remove unwanted role entries.
Use this cmd: Get-ManagemenRoleEntry “Sales Support DG MRole\*” | where{ $_.name –like “Set-distributionGroup” } | remove-managementroleentry
Before linking management role to email policy, remove unwanted role entry from role.
I tried to explain it in easy way, but still it is not understood, write back to me. I am new to technet forum, I started few days back replying to questions. If you get your answer,dont forget to propose it as answer. -
I'm trying to give a mailbox user Send As right for a distribution group. But the cmdlet comes back with this:
Get-DistributionGroup MyGroup | Add-ADPermission -user albert -ExtendedRights Send-As
Active Directory operation failed on <DC fqdn>. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-03151E07, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
+ CategoryInfo : WriteError: (0:Int32) [Add-ADPermission], ADOperationException
+ FullyQualifiedErrorId : FE24751F,Microsoft.Exchange.Management.RecipientTasks.AddADPermission
What could be the problem, considering the items below :
- inheritance is not broken to the level of the distribution group object
- the account used to run the cmdlet is a member of the Organization Management group
- creating a new distribution group in the same OU and running the command works as expected; checking the permission for this group against MyGroup (using Get-DistributionGroup testgroup | Get-ADPermission | Sort-Object User,AccessRights | ft user,accessrights,extendedrights,properties)
shows no differences.
- adding the permission using ADUC results in the user being able to Send As the group, however I'm trying to find out the root cause of the Powershell cmdlet execution problem
- there is no Deny permission on the group's ACL
- the group didn't have the "Hide Membership" feature of Exchange 2003 applied, so there shouldn't be any non-canonical ACL issuesAnyone ever come up with a solution to this? I get something similar when Activesync tries to create objects on user containers.
Exchange ActiveSync doesn't have sufficient permissions to create the "CN=Test User,OU=Domain Users,DC=domain,DC=com" container under Active Directory user "Active Directory operation failed on DELL7S09.domain.com. This error is not retriable.
Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-03151E07, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
Make sure the user has inherited permission granted to domain\Exchange Servers to allow List, Create child, Delete child of object type "msExchActiveSyncDevices" and doesn't have any deny permissions that block such operations.
Details:%3
So...I get this after I introduced a MS Exchange 2010 SP3 RU8 server into my environment. You can find LOTS of people suggesting the same fix but I've not found anything that deviates from those fixes: check the "inherit permissions",
and give full permis to msExchActiveSync devices for the Exchange Servers security group, blah blah.
I got to this point by following a Migrate to Exch2010 paper by MS. I have no Win2k servers, my old Exchange server is Win2003r2SP2 with Exch2003SP2 fully patched. The Exch server is also a DC. I installed a new 2012r2 server and then patched
it. Installed Exch2010SP3Ru8 and all seems well.
The old Exch2003 server is still in production. My iPhone army connects remotely for mail, and all works great. I created a new Test User in AD, gave it a mailbox on the 2003 server, and waited a bit. It eventually shows up in the Server
Manager on the new 2010 Exch Server. I send it a bunch of emails, connect to it with an outook client on a Win7 machine, all works. I go to the SM on the 2010 box and migrate the mailbox to the new server. It works. I can connect with
outlook, send receive mail to other users in the org. I then try to connect with my iPhone and I get the message in Event Viewer over and over.
Went so far as to Promo the new 2012 server to a DC. seems to be fine. Now am wondering if I Demote the old Exch2003 server will it help...or cause a new crop of issues.... -
Exchange 2003/2010 Co-Existence - Distribution Group Management
We're running both exchange 2010 and Exchange 2003. I have an issue where some distribution groups were upgraded to Exchange 2010 (v14.0.100) and the manager of those lists who are on Exchange 2003 can no longer modify members, they get the error:
"Changes to the distribution list membership cannot be saved. You do not have sufficient permission to perform this operation on this object".
We've already implemented the myDistributionGroupsManagement role with success to allow Exchange 2010 users to manage their own list without allowing them to create new ones.
http://blogs.technet.com/b/exchange/archive/2009/11/18/3408844.aspx
Trying to apply the "Default Role Policy Assignement" to the exchange 2003 users returns an error. Is there any way Exchange 2003 users can manage Exchange 2010 Distribution list they owned without being upgraded to Exchange 2010? If not, is
there any way to downgrade distribution group to Exchange 2003 once they've been upgraded?Hi,
From my lab, legacy exchange user can manage the distribution group which has been upgrade to Exchange 2010.
Exchange 2010 sp2, Exchange 2003 with sp2.
I can add/remove member for distribution group from address book via outlook.
Xiu Zhang
TechNet Community Support -
1. I'm trying to use Netctl commands without sudo on non-root accounts. My idea of going about this is to add the particular user to the correct group. However, i'm not sure as to which group this is. I tried adding it network , and systemd-network but to no avail, it still asks for authentication.
2. Netctl list <-- doesn't need authentication
Netctl stop <--- requires authentication
Why is this ? ( How do you set authentication for differing command line options?)
Any help or pointers would be appreciated !Netctl is just a thin wrapper around systemd. All it does is invoke systemd commands like
systemctl start ...
systemctl stop ...
You can look at the source if you want to know how it works. -
Prohibit Sending Emails to Distribution Group at specific times
Hi team,
I have a request from my company to prohibit certain users from sending emails to Specific Distribution group at certain times.(12AM-7AM)
Any help would be appreciated.
RegardsHi,
Based on my research, there is no feature in Exchange server to directly meet your requirement: reject specific users sending emails to specific distribution group at specific times.
We can use transport rule in Exchange 2007 and later version to achieve Reject specific users sending emails to specific distribution group. Create a rule in Exchange EMC:
Apply rule to messages
from "[email protected]" or "[email protected]"
and sent to "[email protected]"
send "cannot send messages to this group" to sender with "5.7.1"
About schedule the transport rules, there is no feature in Exchange supporting it. I find an article about scheduling a transport rule by using task schedule in Server manager. Just for your reference:
http://alanhardisty.wordpress.com/2012/01/17/schedule-a-transport-rule-to-be-enabled-or-disabled-at-a-specific-time-of-day-day-of-the-week/
Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality,
safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.
Thanks,
Winnie Liang
TechNet Community Support -
Can't manage distribution group from Outlook with Exchange 2010 or Exchange 2013 mailbox
Hi All,
In my environment we are using exchange 2010 that contains the distribution groups which has been migrated from exchange 2003 environment .On that one of the distribution group is having an problem for the user who had an access to manage DL'S via outlook
but he can't able to manage it.When we add the new user to manage same DL and the new user tries to manage the DL via outlook it happens without any issues.
issue occurs only for the user who has already have the manage access permission on the DL where the group was on exchange 2003 before migrated to exchange 2010.
Reffered blog : http://support2.microsoft.com/kb/2586832?wa=wsignin1.0
We have done all the settings defined on the above mentioned link but still we are facing the issue.
In addition to that , we have forcefully upgraded the DL too by using the below mentioned command.
set-distributiongroup -identity "name of the problematic DL" -forceupgrade
Please all of you provide your valuable suggestions to overcome this issue .
Error message :
Regards
S.Nithyanandham
Thanks S.NithyanandhamHi S.Nithyanandham,
From your description, I would like to verify if the problematic manager user is a member of security group. If yes, this issue will occur. In Exchange 2010, distribution groups can't be managed by groups, only individual users can manage groups. But in
Exchange 2003, it is possible to use groups to manage a distribution group.
For more information, here is a blog for your reference.
How to manage groups with groups in Exchange 2010
http://blogs.technet.com/b/exchange/archive/2011/05/04/how-to-manage-groups-with-groups-in-exchange-2010.aspx
Hope this can be helpful to you.
Best regards,
Amy Wang
TechNet Community Support -
Managing Distribution Groups with hidden membership (when hideDLMembership is true)
Hi All,
I have a
situation in a Exchange 2010 SP2 messaging environments where we want to manage two distribution groups through Outlook client and want to ensure that its membership is visible to none but the distribution group owners.
I have followed this article "http://blogs.technet.com/b/kamleshk/archive/2013/08/22/3478284.aspx" but in my case the owner can't see the membership.
The Outlook client version is 2007.
I have enabled "MyDistributionGroups" in the default role assignment policy to enable Distribution Group management by end users.
We use Outlook Anywhere but I have tried to add the registry Key "DS Server" but no way.
Thank you in advance.
Simone
SimoneHi Simone,
How about in OWA?
If OWA works well, it should be an issue on the Outlook Client side.
If OWA not works neither, it still the permission issue. It need sometimes to sync the operation.
Please run following command to verify the owner permission:
Get-DistributionGroup -Indentity DGName | FL
Thanks
Mavis
Mavis Huang
TechNet Community Support -
Hi,
I have a little C# Form Application which should be create a Public Folder and assign permission for a Distribution Group in Exchange 2010.
I have found following in the EWS Documentation:
FolderPermission fp = new FolderPermission();
fp.UserId.PrimarySmtpAddress = "[email protected]";
If i try this with a User Email it works as well. But if I try to set a Email address from a Distribution Group it will throw this Error:
"Invailid UserID"
Does anybody know, how to set Folder Permissions to a Distribution Group?
Thanks,
JulianYou can't set permission on an Item in a Public folder the only level you can set the permissions at are on the folder. Your probably better of using a Distribution Group which you can create via the Exchange Management Shell
http://technet.microsoft.com/en-AU/library/aa998856(v=exchg.150).aspx l. You can then set rights on who can use this distribution group and it will also be visible in the GAL
etc.
cheers
Glen -
Delete emails older than 3 months sent to a distribution group
Hi,
Have a strange request hopefully someone can help me with.
We have Exchange 2010 on site. There are a large number of casual staff who are only at work for a few months of the years, then are away for a long period. These staff are still receiving all of the Everybody emails that are sent out, causing their mailboxes
to fill up and stop receiving emails.
I have tried the usual searches and have found solutions for deleting email with specific titles and for specific dates; but I cannot find any information on being able to delete based on the 'To' field of an email.
My query is -
Is there a way to delete emails from all mailboxes in an organisation that have been sent to a specific distribution group that are over three months old?
All help is always gratefully received.
Thanks,
Peter D.Hi,
I have found a solution to this issue.
Am posting it for when i need it later, or if it helps anyone else.
Using Powershell, i use the following code to be able to search using the To field, which in this case is the name of the distribution group.
#Add Exchange 2010 snapin if not already loaded
if (!(Get-PSSnapin | where {$_.Name -eq "Microsoft.Exchange.Management.PowerShell.E2010"}))
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010 -ErrorAction SilentlyContinue
get-Mailbox | search-mailbox -searchquery to:"DistributionGroup" -DeleteContent
Now just to add the date variable... -
Restrict view access to a distribution group
Hi, management have decided they want to have a distribution group made up of all employees personal email addresses (in case of emergency broadcasts etc etc).
I have been trying to figure out a way to create this list, but only give a few particular users access to view and send to it.
So far, my thinking is I can put the list into an OU, which only has permissions for those users to view, and disable it for everyone else.
Just wondering if there is a better way to do this? The send restrictions are pretty straight forward, its the view restrictions that need to be dealt with...
Thanks,
NathanHi Nathan,
As Amit suggested, you can create a dynamic distribution group. And then follow the steps below to set the message delivery restrictions.
Open EMC -> Recipient Configuration -> Distribution Group -> right click the dynamic distribution group you want to configure -> Properties -> Mail Flow Settings -> double click the Message Delivery Restrictions -> specify the user who
can send to this distribution group.
For more information, here is a helpful article for your reference.
Configure Dynamic Distribution Group Properties
http://technet.microsoft.com/en-us/library/bb124560(v=exchg.141).aspx
Hope this can be helpful to you.
Best regards,
Amy Wang
TechNet Community Support -
Bug in ABP based segregation at distribution group level
We have Exchange 2013 based hosted exchange platform, tenants are segregated via ABP with custom attribute1 as a filter. users, distribution groups etc. are properly segregated as expected.
when a user login to owa\ecp and navigate to Options->Groups, they can see the distribution groups it is member of and the distribution group for whom he is defined as manager, with in the same tenants. All good as expected.
but now when you click on join button, it open up a windows which exposes all the security groups and distribution groups from all the tenants on this platform. it clearly says the
ABP is not taking care of segregation at this level and expose ALL Groups Address list to all the tenants bypassing the ABP segregation. Is their any hack exist for this issue?Hi Qaiser, this isn't a bug, it's a limitation of what the ABP code can do. This is why the guidance document (http://technet.microsoft.com/en-us/office/dn756468) says the following;
Problem or Issue Description
Some EAC/ECP features will not work correctly in a multi-tenant configuration when using Exchange 2013.
For example, the distribution group self-service functionality can expose data from other tenants.
For example, adding a user to any RBAC group that exposes the Distribution Group Management options in ECP will likely result in exposing data from all tenants.
Recommended Approach to Solve
It is recommended that you disable the features that do not work correctly. For the DG self-service and management tools, you can do this by simply not including users in the
MyDistributionGroupMembership RBAC role group that enables the functionality and user interface.
It is also recommended to completely disable access to the Exchange Administration Center by modifying the
Set-ECPVirtualDirectory –AdminEnabled parameter on all tenant-facing servers.
Unsupported Solutions
Modification of any of the files that are used for EAC/ECP is unsupported. If you decide to build a control panel solution, that solution must only use built-in cmdlets and interfaces.
Additional Comments
Understanding Role Based Access Control -
http://technet.microsoft.com/en-us/library/dd298183.aspx
There is no hack to get around it. -
Group ownership of Distribution Group not working
Hi,
We recently migrated from Exchange 2007 to 2013 CU2. We have various security groups with permissions to edit various distribution lists; this is no longer working. I've already researched the problem and I understand two things are necessary for a
user to have permission to edit a distribution list:
1. User must have membership in the My Distribution Groups and My Distro Groups Membership roles. Already done.
2. User must be an owner of the distribution group.
The problem comes with the ownership. I'm assigning ownership of the distribution list to a security group, of which my test user is a member. Per
this article, groups can own groups again as of 2013 CU1.
If I directly assign a user ownership of the group, they can edit membership without issue, which means item #1 is satisfied. But they are not receiving ownership by way of membership in the group that owns the distribution list. Or put another way, their
group membership is not granting them ownership of the group as it should.
Any thoughts? Spent a good hour searching and can't come up with anything.
Thanks,
JamesHi -
That is correct, and is a problem with dozens of existing distribution groups.
For testing purposes I just did the following:
1. Created a new distribution group "Test Distro Group"
2. Created a new mail-enabled security group "Test Distro Group Owners"
3. Ran Set-DistributionGroup -Identity "Test Distro Group" -ManagedBy "Test Distro Group Owners"
4. Confirmed ownership via the shell:
Get-DistributionGroup -Identity "Test Distro Group" | fl
GroupType : Universal
SamAccountName : Test Distro Group
BypassNestedModerationEnabled : False
ManagedBy : {contoso.com/Users/Test Distro Group Owners}
5. Confirmed ownership via ECP:
6. Added a test user "_Sample Teacher" to the "Test Distro Group Owners" group. Confirmed membership via ECP:
7. Logged into OWA as "_Sample Teacher," went to Options, then Groups. "Test Distro Group Owners" is shown as a group that the user belongs to, however no groups are shown under "distribution groups I own."
8. If I add "_Sample Teacher" directly as an owner of "Test Distro Group," the group appears as expected as an owned group.
So in short...the user is a member of the security group, the security group owns distribution group; the user should then be an owner of the distro group via membership in the security group, however this is not working.
Thanks for any help you can provide. I'm not sure where to go next.
James
Maybe you are looking for
-
Not able to change the price of PO
Hi All, I am not able to edit the price on PO. Materail is free text catalog orders from SRM, I am not able to change the price. Could you please help me in changing the price. Is there any other steps i need to do to change the price. Thanks
-
In production every now and then we get an ORA-0001 error when dequeuing a message. We use: 1 Solaris 10 2 Oracle 10g 3 C++ application 4 PROC*C with dbms_aq package for queuing operations 5 Queues with XML payload 6 We handle a large volume of messa
-
Office 365 Outlook 2013 client not displaying embedded HTML graphics in message body
I am using Office 365 Outlook 2013 client for Gmail and my Service Provider e-mail through POP/ SMTP configuration. The e-mail message is not displaying the embedded HTML graphics. How I can I get it to display the embedded graphics? I have no proble
-
Intel HD Graphics (Integrated) Driver for Windows 7 (32-bit) - ThinkPad
Hi, We have been running Update retriever and Thininstaller with System Center Configuration Manager 2007 for os deployment successfully for a while. When we try to deploy a ThinkPad 1143-3LG system the videodriver for the integrated videocard is not
-
when i do it using mxml, the list populates but when i try doing it using actionscript 3 it is not working. //DOESNT WORK... var catList:List = new List; catList.dataProvider = multiDArr; catList.labelField = 'label'; this.addChild(catList); //WORKS.