Giving Permissions to specific Distribution Group management for deparment secrety

Similar Messages

• Hello. I began with the DPS. Is it possible to publish a magazine for a limited, specific target group? For example, in one department of a large company? Or to the responsible for various services? If so, how should I do? Thank you for your help.

  Hello.
  I began with the DPS. Is it possible to publish a magazine for a limited, specific target group? For example, in one department of a large company?
  Or to the responsible for various services? If so, how should I do? Thank you for your help.

  Short answer is yes.
  Click the request for consultation link in Digital Publishing Suite Help | DPS pricing options to receive a price estimate for the DPS license your project.

• Distribution Group manager can't modify group

  Setup
  MS Exchange 2010 version 14.3 (Build 123.4)
  Distribution Group is a Mail Universal Distribution which has less than 20 members total
  There are three managers in the "Managed By" listing.  Of these two can modify the list, the third cannot.  When the third manager tries to modify the list they get the following error:
  The Public Group cannot be displayed.  The connection to Microsoft Exchange is unavailable.  Outlook must be online or connected to complete this action.
  Note: The user is connected to the Exchange environment as evidenced by the "Connected to Microsoft Exchange" in the lower right portion of his Outlook 2010 window.  He is also hardwired into the network,
  ie no wireless connection.  He tried the going in through OWA and got the same error as above.  
  Any ideas on what I can check to see why this manager cannot modify the list whereas the other two can? 
  nc

  Hi ncouch55,
  If there are multiple GCs in organization, We could refer to the following link to choose the closest GC for the specific user:
  1). Click Start, and then click Run.
  2). In the Open box, type regedit.exe, and then click OK.
  3). Locate and then click the following key in the registry:
  HKEY_CURRENT_USER\Software\Microsoft\Exchange\Exchange Provider
  Note You may have to create the registry path.
  4). On the Edit menu, click Add Value, and then add the following registry value:
  Value name: GC Server
  Data type: REG_SZ (string)
  Value data: the FQDN of the closest GC server
  5). Quit Registry Editor.
  If the issue persist, we could clear manager on distribution group and re-grant permission to three manager.
  If there are any questions regarding this issue, please be free to let me know. 
  Best Regard,
  Jim

• Custom Distribution Group management role (manager excpeiton)

  My organization is medium size with multiple support groups (15+) that each support a subset of users (350+). I want to create a management role that is scoped so each support group can manage the distribution groups in their respective OU space.
  By manage I mean edit the group membership. I realize I can achieve this with AD permissions but I’d like to achieve this in a way that leverages RBAC so the support groups can use OWA. I also want to leverage RBAC\OWA because not all my support groups are
  technical, some are office admins. Anyways, below is what I’ve tried in my lab scoped to one of my support groups.
  Using the cmdlets below I’ve created a custom management scope, role and group. However, this does not work. While it lets my sales support group view and edit some random attributes on the group, it fails when they try to edit the group membership. In other
  words, they can logon to OWA, click options\see all options\manage your organization\distribution groups\open the group\edit description etc. but when they select “Add…” under membership then select the user and hit ok\save they get the error “you don’t have
  sufficient permissions. this operation can only be performed by a manger of the group”.
  New-ManagementScope -Name “Sales Support DG MScope” -RecipientRestrictionFilter {RecipientType -eq "MailUniversalSecurityGroup"} -RecipientRoot “lab.com/sales”
  New-ManagementRole -name “Sales Support DG MRole” -Parent "Distribution Groups"
  New-RoleGroup -name “Sales “Sales Support DG MGroup” -Roles "Sales Support DG MRole" -CustomRecipientWriteScope "Sales Support DG MScope"
  When I do as the error asks (i.e. add my support user as a manager of the group via the EMC), then my support user is able to edit the group's membership in OWA. The problem with this solution is that it would require me to add my support users to my role
  group “Sales Support DG MGroup” AND as a manager of the DG and every DG that is created down the line. Not ideal. Any ideas, some RBAC magic I’m missing?
  Below confirms by scope.
  Get-Group -OrganizationalUnit “lab.com/sales” | ?{$_.RecipientType -eq "MailUniversalSecurityGroup"}
  Name DisplayName SamAccountName GroupType
  distro1 distro1 distro1 Universal, SecurityEnabled
  distro2 distro2 distro2 Universal, SecurityEnabled
  distro3 distro3 distro3 Universal, SecurityEnabled
  On a side note, I realize by sourcing my management role off of distribution groups gives me more cmdlets\access than my support group needs (see below). I’m first just trying to get it to work :).
  Get-ManagementRole “Sales Support DG MRole” | Get-ManagementRoleEntry | select name
  Name
  Add-DistributionGroupMember
  Disable-DistributionGroup
  Enable-DistributionGroup
  Get-ADServerSettings
  Get-AcceptedDomain
  Get-DistributionGroup
  Get-DistributionGroupMember
  Get-DomainController
  Get-DynamicDistributionGroup
  Get-Group
  Get-MailUser
  Get-Mailbox
  Get-OrganizationalUnit
  Get-Recipient
  Get-ResourceConfig
  Get-User
  New-DistributionGroup
  New-DynamicDistributionGroup
  Remove-DistributionGroup
  Remove-DistributionGroupMember
  Remove-DynamicDistributionGroup
  Set-ADServerSettings
  Set-DistributionGroup
  Set-DynamicDistributionGroup
  Set-Group
  Set-OrganizationConfig
  Update-DistributionGroupMember
  Write-AdminAuditLog

  Hello,
  I understand that you have create custom management scope for each group and assigned a custom role to it.
  But whenever user try to edit (add/remove membership ) ,it shows errors "you dont have sufficient permissions". I face similar problem when we move from 2007 to 2010, 2010 by default disabled editing options for Dl membership.
  You can enable it by Graphic mode or powershell. Would suggest that you have created custom role, you follow powershell mode. I had written a blog on that.
  Check below link. http://exchange2010cmd.blogspot.de/
  You have created new management role “Sales Support DG MRole”, but you need to assign this role to users/administrators in your case through role assignment policy.
  You can either use existing default policy or create new policy and assign this management role to it.
  Use below cmd: New-ManagementRoleAssignment -Role “Sales Support DG MRole” –Policy “Default Role Assignment Policy”
  NOTE: If you are creating new policy , place that name instead of default policy name".
  I recommend you continue with defalut policy. After this check with any admin, he should have rights to edit membership.
  Now, regarding your second concern, that your custon role has to many role entries.
  You can remove unwanted role entries.
  Use this cmd: Get-ManagemenRoleEntry “Sales Support DG MRole\*” | where{ $_.name –like “Set-distributionGroup” } | remove-managementroleentry
  Before linking management role to email policy, remove unwanted role entry from role.
  I tried to explain it in easy way, but still it is not understood, write back to me. I am new to technet forum, I started few days back replying to questions. If you get your answer,dont forget to propose it as answer.

• "Active Directory operation failed on DC " when assigning Send As permissions on a distribution group

  I'm trying to give a mailbox user Send As right for a distribution group. But the cmdlet comes back with this:
  Get-DistributionGroup MyGroup | Add-ADPermission -user albert -ExtendedRights Send-As
  Active Directory operation failed on <DC fqdn>. This error is not retriable. Additional information: Access is denied.
  Active directory response: 00000005: SecErr: DSID-03151E07, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
      + CategoryInfo          : WriteError: (0:Int32) [Add-ADPermission], ADOperationException
      + FullyQualifiedErrorId : FE24751F,Microsoft.Exchange.Management.RecipientTasks.AddADPermission
  What could be the problem, considering the items below :
  - inheritance is not broken to the level of the distribution group object
  - the account used to run the cmdlet is a member of the Organization Management group
  - creating a new distribution group in the same OU and running the command works as expected; checking the permission for this group against MyGroup (using Get-DistributionGroup testgroup | Get-ADPermission | Sort-Object User,AccessRights | ft user,accessrights,extendedrights,properties)
  shows no differences.
  - adding the permission using ADUC results in the user being able to Send As the group, however I'm trying to find out the root cause of the Powershell cmdlet execution problem
  - there is no Deny permission on the group's ACL
  - the group didn't have the "Hide Membership" feature of Exchange 2003 applied, so there shouldn't be any non-canonical ACL issues

  Anyone ever come up with a solution to this?  I get something similar when Activesync tries to create objects on user containers.
  Exchange ActiveSync doesn't have sufficient permissions to create the "CN=Test User,OU=Domain Users,DC=domain,DC=com" container under Active Directory user "Active Directory operation failed on DELL7S09.domain.com. This error is not retriable.
  Additional information: Access is denied.
  Active directory response: 00000005: SecErr: DSID-03151E07, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
  Make sure the user has inherited permission granted to domain\Exchange Servers to allow List, Create child, Delete child of object type "msExchActiveSyncDevices" and doesn't have any deny permissions that block such operations.
  Details:%3
  So...I get this after I introduced a MS Exchange 2010 SP3 RU8 server into my environment.  You can find LOTS of people suggesting the same fix but I've not found anything that deviates from those fixes:  check the "inherit permissions",
  and give full permis to msExchActiveSync devices for the Exchange Servers security group, blah blah.
  I got to this point by following a Migrate to Exch2010 paper by MS.  I have no Win2k servers, my old Exchange server is Win2003r2SP2 with Exch2003SP2 fully patched.  The Exch server is also a DC.  I installed a new 2012r2 server and then patched
  it.  Installed Exch2010SP3Ru8 and all seems well.  
  The old Exch2003 server is still in production.  My iPhone army connects remotely for mail, and all works great.  I created a new Test User in AD, gave it a mailbox on the 2003 server, and waited a bit.  It eventually shows up in the Server
  Manager on the new 2010 Exch Server.  I send it a bunch of emails, connect to it with an outook client on a Win7 machine, all works.  I go to the SM on the 2010 box and migrate the mailbox to the new server.  It works.  I can connect with
  outlook, send receive mail to other users in the org.  I then try to connect with my iPhone and I get the message in Event Viewer over and over.
  Went so far as to Promo the new 2012 server to a DC.  seems to be fine.  Now am wondering if I Demote the old Exch2003 server will it help...or cause a new crop of issues....

• Exchange 2003/2010 Co-Existence - Distribution Group Management

  We're running both exchange 2010 and Exchange 2003.  I have an issue where some distribution groups were upgraded to Exchange 2010 (v14.0.100) and the manager of those lists who are on Exchange 2003 can no longer modify members, they get the error:
  "Changes to the distribution list membership cannot be saved.  You do not have sufficient permission to perform this operation on this object".
  We've already implemented the myDistributionGroupsManagement role with success to allow Exchange 2010 users to manage their own list without allowing them to create new ones.
  http://blogs.technet.com/b/exchange/archive/2009/11/18/3408844.aspx
  Trying to apply the "Default Role Policy Assignement" to the exchange 2003 users returns an error.  Is there any way Exchange 2003 users can manage Exchange 2010 Distribution list they owned without being upgraded to Exchange 2010?  If not, is
  there any way to downgrade distribution group to Exchange 2003 once they've been upgraded?

  Hi,
  From my lab, legacy exchange user can manage the distribution group which has been  upgrade to Exchange 2010.
  Exchange 2010 sp2, Exchange 2003 with sp2.
  I can add/remove member for distribution group from address book via outlook.
  Xiu Zhang
  TechNet Community Support

• Group Management for Netctl

  1. I'm trying to use Netctl commands without sudo on non-root accounts.  My idea of going about this is to add the particular user to the correct group. However, i'm not sure as to which group this is. I tried adding it network , and systemd-network but to no avail, it still asks for authentication.
  2. Netctl list <-- doesn't need authentication
      Netctl stop <--- requires authentication
      Why is this ? ( How do you set authentication for differing command line options?)
  Any help or pointers would be appreciated !

  Netctl is just a thin wrapper around systemd. All it does is invoke systemd commands like
  systemctl start ...
  systemctl stop ...
  You can look at the source if you want to know how it works.

• Prohibit Sending Emails to Distribution Group at specific times

  Hi team,
  I have a request from my company to prohibit certain users from sending emails to Specific Distribution group at certain times.(12AM-7AM)
  Any help would be appreciated.
  Regards

  Hi,
  Based on my research, there is no feature in Exchange server to directly meet your requirement: reject specific users sending emails to specific distribution group at specific times.
  We can use transport rule in Exchange 2007 and later version to achieve Reject specific users sending emails to specific distribution group. Create a rule in Exchange EMC:
  Apply rule to messages
  from "[email protected]" or "[email protected]"
  and sent to "[email protected]"
  send "cannot send messages to this group" to sender with "5.7.1"
  About schedule the transport rules, there is no feature in Exchange supporting it. I find an article about scheduling a transport rule by using task schedule in Server manager. Just for your reference:
  http://alanhardisty.wordpress.com/2012/01/17/schedule-a-transport-rule-to-be-enabled-or-disabled-at-a-specific-time-of-day-day-of-the-week/
  Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality,
  safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.
  Thanks,
  Winnie Liang
  TechNet Community Support

• Can't manage distribution group from Outlook with Exchange 2010 or Exchange 2013 mailbox

  Hi All,
  In my environment we are using exchange 2010 that contains the distribution groups which has been migrated from exchange 2003 environment .On that one of the distribution group is having an problem for the user who had an access to manage DL'S via outlook
  but he can't able to manage it.When we add the new user to manage same DL and the new user tries to manage the DL via outlook it happens without any issues. 
  issue occurs only for the user who has already have the manage access permission on the DL where the group was on exchange 2003 before migrated to exchange 2010.
  Reffered blog : http://support2.microsoft.com/kb/2586832?wa=wsignin1.0
  We have done all the settings defined on the above mentioned link but still we are facing the issue.
  In addition to that , we have forcefully upgraded the DL too by using the below mentioned command.
  set-distributiongroup -identity "name of the problematic DL" -forceupgrade
  Please all of you provide your valuable suggestions to overcome this issue .
  Error message :
  Regards
  S.Nithyanandham
  Thanks S.Nithyanandham

  Hi S.Nithyanandham,
  From your description, I would like to verify if the problematic manager user is a member of security group. If yes, this issue will occur. In Exchange 2010, distribution groups can't be managed by groups, only individual users can manage groups. But in
  Exchange 2003, it is possible to use groups to manage a distribution group.
  For more information, here is a blog for your reference.
  How to manage groups with groups in Exchange 2010
  http://blogs.technet.com/b/exchange/archive/2011/05/04/how-to-manage-groups-with-groups-in-exchange-2010.aspx
  Hope this can be helpful to you.
  Best regards,
  Amy Wang
  TechNet Community Support

• Managing Distribution Groups with hidden membership (when hideDLMembership is true)

  Hi All,
  I have a
  situation in a Exchange 2010 SP2 messaging environments where we want to manage two distribution groups through Outlook client and want to ensure that its membership is visible to none but the distribution group owners.
  I have followed this article "http://blogs.technet.com/b/kamleshk/archive/2013/08/22/3478284.aspx" but in my case the owner can't see the membership.
  The Outlook client version is 2007.
  I have enabled "MyDistributionGroups" in the default role assignment policy to enable Distribution Group management by end users.
  We use Outlook Anywhere but I have tried to add the registry Key "DS Server" but no way.
  Thank you in advance.
  Simone
  Simone

  Hi Simone,
  How about in OWA?
  If OWA works well, it should be an issue on the Outlook Client side.
  If OWA not works neither, it still the permission issue. It need sometimes to sync the operation.
  Please run following command to verify the owner permission:
  Get-DistributionGroup -Indentity DGName | FL
  Thanks
  Mavis 
  Mavis Huang
  TechNet Community Support

• [E2010] [EWS] [C#] [Windows]: How do I assign public folder Permission to a distribution Group

  Hi,
  I have a little C# Form Application which should be create a Public Folder and assign permission for a Distribution Group in Exchange 2010.
  I have found following in the EWS Documentation:
   FolderPermission fp = new FolderPermission();
   fp.UserId.PrimarySmtpAddress = "[email protected]";
  If i try this with a User Email it works as well. But if I try to set a Email address from a Distribution Group it will throw this Error:
  "Invailid UserID"
  Does anybody know, how to set Folder Permissions to a Distribution Group?
  Thanks,
  Julian

  You can't set permission on an Item in a Public folder the only level you can set the permissions at are on the folder. Your probably better of using a Distribution Group which you can create via the Exchange Management Shell
  http://technet.microsoft.com/en-AU/library/aa998856(v=exchg.150).aspx l. You can then set rights on who can use this distribution group and it will also be visible in the GAL
  etc.
  cheers
  Glen

• Delete emails older than 3 months sent to a distribution group

  Hi,
  Have a strange request hopefully someone can help me with.
  We have Exchange 2010 on site. There are a large number of casual staff who are only at work for a few months of the years, then are away for a long period. These staff are still receiving all of the Everybody emails that are sent out, causing their mailboxes
  to fill up and stop receiving emails.
  I have tried the usual searches and have found solutions for deleting email with specific titles and for specific dates; but I cannot find any information on being able to delete based on the 'To' field of an email.
  My query is -
  Is there a way to delete emails from all mailboxes in an organisation that have been sent to a specific distribution group that are over three months old?
  All help is always gratefully received.
  Thanks,
  Peter D.

  Hi,
  I have found a solution to this issue.
  Am posting it for when i need it later, or if it helps anyone else.
  Using Powershell, i use the following code to be able to search using the To field, which in this case is the name of the distribution group.
  #Add Exchange 2010 snapin if not already loaded
  if (!(Get-PSSnapin | where {$_.Name -eq "Microsoft.Exchange.Management.PowerShell.E2010"}))
  Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010 -ErrorAction SilentlyContinue
  get-Mailbox | search-mailbox -searchquery to:"DistributionGroup" -DeleteContent
  Now just to add the date variable...

• Restrict view access to a distribution group

  Hi, management have decided they want to have a distribution group made up of all employees personal email addresses (in case of emergency broadcasts etc etc).
  I have been trying to figure out a way to create this list, but only give a few particular users access to view and send to it.
  So far, my thinking is I can put the list into an OU, which only has permissions for those users to view, and disable it for everyone else.
  Just wondering if there is a better way to do this? The send restrictions are pretty straight forward, its the view restrictions that need to be dealt with...
  Thanks,
  Nathan

  Hi Nathan,
  As Amit suggested, you can create a dynamic distribution group. And then follow the steps below to set the message delivery restrictions.
  Open EMC -> Recipient Configuration -> Distribution Group -> right click the dynamic distribution group you want to configure -> Properties -> Mail Flow Settings -> double click the Message Delivery Restrictions -> specify the user who
  can send to this distribution group.
  For more information, here is a helpful article for your reference.
  Configure Dynamic Distribution Group Properties
  http://technet.microsoft.com/en-us/library/bb124560(v=exchg.141).aspx
  Hope this can be helpful to you.
  Best regards,
  Amy Wang
  TechNet Community Support

• Bug in ABP based segregation at distribution group level

  We have Exchange 2013 based hosted exchange platform, tenants are segregated via ABP with custom attribute1 as a filter. users, distribution groups etc. are properly segregated as expected.
  when a user login to owa\ecp and navigate to Options->Groups, they can see the distribution groups it is member of and the distribution group for whom he is defined as manager, with in the same tenants. All good as expected.
  but now when you click on join button, it open up a windows which exposes all the security groups and distribution groups from all the tenants on this platform. it clearly says the
  ABP is not taking care of segregation at this level and expose ALL Groups Address list to all the tenants bypassing the ABP segregation. Is their any hack exist for this issue? 

  Hi Qaiser, this isn't a bug, it's a limitation of what the ABP code can do. This is why the guidance document (http://technet.microsoft.com/en-us/office/dn756468) says the following;
  Problem or Issue Description
  Some EAC/ECP features will not work correctly in a multi-tenant   configuration when using Exchange 2013.
  For example, the distribution group self-service functionality can expose   data from other tenants.
  For example, adding a user to any RBAC group that exposes the Distribution   Group Management options in ECP will likely result in exposing data from all   tenants.
  Recommended Approach to Solve
  It is recommended that you disable the features that do not work   correctly. For the DG self-service and management tools, you can do this by simply   not including users in the
  MyDistributionGroupMembership   RBAC role group that enables the functionality and user interface.
  It is also recommended to completely disable access to the Exchange   Administration Center by modifying the
  Set-ECPVirtualDirectory   –AdminEnabled parameter on all tenant-facing servers.
  Unsupported Solutions
  Modification of any of the files that are used for EAC/ECP is   unsupported. If you decide to build a control panel solution, that solution   must only use built-in cmdlets and interfaces.
  Additional Comments
  Understanding Role Based Access Control -
  http://technet.microsoft.com/en-us/library/dd298183.aspx  
  There is no hack to get around it.

• Group ownership of Distribution Group not working

  Hi,
  We recently migrated from Exchange 2007 to 2013 CU2. We have various security groups with permissions to edit various distribution lists; this is no longer working. I've already researched the problem and I understand two things are necessary for a
  user to have permission to edit a distribution list:
  1. User must have membership in the My Distribution Groups and My Distro Groups Membership roles. Already done.
  2. User must be an owner of the distribution group.  
  The problem comes with the ownership. I'm assigning ownership of the distribution list to a security group, of which my test user is a member. Per
  this article, groups can own groups again as of 2013 CU1.
  If I directly assign a user ownership of the group, they can edit membership without issue, which means item #1 is satisfied. But they are not receiving ownership by way of membership in the group that owns the distribution list. Or put another way, their
  group membership is not granting them ownership of the group as it should.
  Any thoughts? Spent a good hour searching and can't come up with anything.
  Thanks,
  James

  Hi -
  That is correct, and is a problem with dozens of existing distribution groups.
  For testing purposes I just did the following:
  1. Created a new distribution group "Test Distro Group"
  2. Created a new mail-enabled security group "Test Distro Group Owners"
  3. Ran Set-DistributionGroup -Identity "Test Distro Group" -ManagedBy "Test Distro Group Owners"
  4. Confirmed ownership via the shell:
  Get-DistributionGroup -Identity "Test Distro Group" | fl
  GroupType                                 : Universal
  SamAccountName                       : Test Distro Group
  BypassNestedModerationEnabled  : False
  ManagedBy                                 : {contoso.com/Users/Test Distro Group Owners}
  5. Confirmed ownership via ECP:
  6. Added a test user "_Sample Teacher" to the "Test Distro Group Owners" group. Confirmed membership via ECP:
  7. Logged into OWA as "_Sample Teacher," went to Options, then Groups. "Test Distro Group Owners" is shown as a group that the user belongs to, however no groups are shown under "distribution groups I own."
  8. If I add "_Sample Teacher" directly as an owner of "Test Distro Group," the group appears as expected as an owned group.
  So in short...the user is a member of the security group, the security group owns distribution group; the user should then be an owner of the distro group via membership in the security group, however this is not working.
  Thanks for any help you can provide. I'm not sure where to go next.
  James