Sunday, April 1, 2007

Delegating Distribution Group Management Via Outlook

Managing distribution lists is normally a duty of Exchange and/or Active Directory administrators. The process for adding or removing a member of a distribution list is likely to submit a request and wait until an administrator makes the necessary changes.

Using a combination of Active Directory permissions and the built-in tools of Outlook you can delegate the ability to manage distribution lists to the user. Here’s how to do it:

Adding Permissions


For a user to have the ability to manage distribution group membership they must be assigned the ‘Write Members’ active directory permission. This can be done in ADUC, but I find PowerShell much simpler.

Adding permission for a single user:

Add-ADPermission -Identity:'Group Display Name’ -User:domain\username -AccessRights ReadProperty, WriteProperty -Properties 'Member'

Adding permission for a group of users:

Add-ADPermission -Identity:'Group Display Name’ -User:'Display Name of Permissions Group’ -AccessRights ReadProperty, WriteProperty -Properties 'Member'

Modifying Group Membership within Outlook


After locating the group within the Global Address List, select ‘Modify Members…’ from the properties screen. To add new members select the ‘Add…’ option and located the desired users within the GAL. Members can be removed by highlighting the desired user and selecting the ‘Remove’ button.

If you receive a “Changes to the distribution list membership cannot be saved. You do not have sufficient permission to perform this operation on this object” error message either permissions are not assigned correctly or the user is not connecting a global catalog from the domain hosting the distribution group.

--Nick

18 comments:

Nikolai said...

Hi Nick,
Do you think this will also work if you host Exchange in a resource forest? Let's say that a disabled mailbox- enabled user account in the resource forest is linked to the associated external account from the user forest. Will the user in the user forest be able to manage a distribution group in the resource forest, assuming only the disabled mailbox- enabled user account has write permissions to change membership of this group?
Thanks in advance,
Nikolai

Nick Smith said...

Nikolai,

I have never testing this scenario before. I am not sure if granting permissions to the resource forest account to modify group membership will work. In fact, I kinda doubt it will. However, granting permissions to the user's real domain account will allow them to edit the membership.

If you do get a chance to test this, please report back your findings.

--Nick

yannick said...

Hello,
i am using exch2007 + w2003r2 x64, i want to call a batch file like :

C:\WINDOWS\system32\WindowsPowerShell\v1.0\PowerShell.exe -PSConsoleFile "C:\Program Files\Microsoft\Exchange Server\bin\exshell.psc1" -command "Get-Group -identity testgroup | Set-Group"

, this from a win32 application, if i call this file from a CMD command line, it works fine, but if my application call it with a shellexecute function i get this :


WARNING: The following errors occurred when loading console C:\Program
Files\Microsoft\Exchange Server\bin\exshell.psc1:
Cannot load Windows PowerShell snap-in
Microsoft.Exchange.Management.PowerShell.Admin because of the following error:
No Windows PowerShell Snap-ins are available for version 1.
Command "Get-Group -identity testgroup | Set-Group" could not be executed because
some Windows PowerShell snap-ins did not load.

if i test my application with the same batch file on a x86 demoversion of exchange2007 in a virtual PC its works !!!

do you have an idea ?

Thank you

Nick Smith said...

Yannick,

I found a blog post describing your problem at http://blogs.msdn.com/mstehle/archive/2007/01/25/kb-preview-error-no-windows-powershell-snap-ins-when-loading-exchange-powershell-snap-in.aspx.

My suggestion would be to make sure you are calling the 64-bit version of Powershell and if possible compile your application as 64-bit as well.

--Nick

michaelkeel said...

Hi Nick,

Thanks for that information.

I'm new to Exchange as I was a Notes Admin in my previous life!!

I have a slight problem when trying to grant mailbox access in Exchange 2007 (vanilla) to a group.

Mailbox is called Chemo and group (Security group) is called Chemo MB Access. I've entered three shell commands...
1. add-mailboxpermission -identity 'Chemo' -user 'Chemo MB Access' -extendedrights 'fullaccess'
2. add-mailboxpermission -identity 'Chemo' -user 'Chemo MB Access' -extendedrights 'sendas'
3. add-adpermission -identity 'Chemo' -user 'Chemo MB Access' -extendedrights 'send as'

The commands worked and gave me no errors.

However, users in that group cannot access the mailbox. Message says 'Cannot display the folder. Microsoft office Outlook cannot access the specified folder location'. They've closed and re-opened, but still no luck.

I may have to grant specific user access to see if that works.

Nick Smith said...

michaelkeel,

Welcome to the Exchange world. There a couple of things will want to check.

You can run the following command to verify that the mailbox permissions applied sucessfully:

Get-MailboxPermission -Identity "Chemo" -User "Chemo MB Access"

You should see that the group has been granted FullAccess to the mailbox. If you don't see any entries, the permissions were not applied successfully.

Secondly, was the group "Chemo MB Access" recently created. If you just created the group and added users, you will need to logout/logon with the user account in order for the permissions to apply. The logoff/logon process will detect the user's new group membership.

--Nick

michaelkeel said...

Thanks Nick.

All is okay now. We hadn't logged off/on to allow the permissions to apply.

Mike.

rio said...

Hi Nick,

I will like to delegate a user to add/remove membership of a particular distribution group. I have added the permission using Add-Adpermission command and verify that the delegated user has WriteMembers permissions. However when I try to modify the membership using Outlook, I get the "Changes to the distribution list membership cannot be saved. You do not have sufficient permission to perform this operation on this object"

I have hardcoded the Outlook client to use a Global Catalog that is in the domain where the Distribution group and the user located. Any other clue?

PS : when I run the command Get-MailboxPermission -Identity "DelgatedUser" -User "Distribution Group", I didn't get the permission reported. It returns nothing, but I see the permission in the Active Directory User and Computer.

ignacio said...

Thanks, It works great but I have a question if I have a user in different distribution lists how can I stop the inherited to another group in other words if I have Marketing member of News group, How I can add Joe only to Marketing and not to News group.

Thanks,

Nick Smith said...

ignacio,

If I understand your question correctly... you have Joe, a member of the Marketing distribution group. The Marketing group is a member of the News distribution group. And you want to prevent Joe from receiving emails sent to the News group?

To prevent Joe from receiving emails sent to the News group I would suggest rethinking your group membership structure. If the above statement is true, Joe would receive the email sent to the News group by design.

--Nick

Nick C. said...

Do you know of a way where I can give a user access to change ALL the distribution lists? I have about 100 in my organization and I would like 1 user to be able to change all of them.

ghkj said...
This comment has been removed by a blog administrator.
c13 said...

Was something like this possible in Exchange 2003, if so, how was it typically implemented?

Magali said...

I modified the Global Catalog in my domain and now all the Outlook clients connect to a GC in a higher domain so no one can update the Distribution groups. Is there a way to force the GC globally?

chris_tiller said...

Nick,

Here is my issue. I have a Distro Group that is in the same domain as the user (who is also the manager of the Distro Group). He has all the permissions he needs to modify users. However when he tries to add or remove the users from the Distro group by using Outlook he gets the error "Changes to the Distribution list Membership could not be saved.You
do not have sufficient permission to perform this operation on this object" The issue here is that Exchange is located in a different domain. Example Domain A has distro group and user and Domain B has Exchange. I tested this by creating an account (with the same permissions) and distro group in Domain B and everything worked fine. I can't figure out what permissions I need to give to the Manager to be able to update the distro group. Thanks for any help.
Chris

Abid Sharif said...

Hi Nick,

I was wondering if its possible for a secuirty group to have permission for all mailboxes.

Additionally if there is a way to have it set up so that whenever a new mailbox is set up, the use is already part of this group?

Thanks in Advance
Abid

Alex said...

Probably the proper determination would become one of tools from the Inet. But unfortunately I had like issue and only my friend's advice assisted me. He recommended one program, I used it and I'm sure in this or any like trouble it will be effective - ost file repair.

Anonymous said...

Did the trick, thanks mate! :)

Btw, the issue we had was that even if the user is set as the "manager" of the list within the Outlook 2007 console, she still wasn't able to make changes.

Cheers