Friday, September 17, 2010

Managing Distribution Groups

Managing distribution groups always seems to be changing from one version of Exchange to the next. In Exchange 2003 you would modify the properties of the group by updating the Managed By tab and enabling the Manager can update membership list. To allow additional managers to the distribution list you needed to manually update the Active Directory security settings for the group.

You granted users permission to modify distributions groups in 2007 by running the following: Get-DistributionGroup DGName Add-AdPermission –User manager –AccessRights WriteProperty –Properties Member. Adding additional managers became a simple task. You could also add a manager within the Exchange Management Console by modifying the properties of the distribution group on the Group Information tab.

Exchange 2010 introduced the new RBAC (Role Based Access Control) model. Anyone who has already migrated or began migrating mailboxes may have experienced the issue where users cannot modify groups they could previously. There is an excellent article that describes the cause and solution for this issue on the Exchange Team site. You may have most of your users working after running the script, while others still get the dreaded error.

As an administrator you may get the following error when you run the Add-DistributionGroupMember cmdlet: You don't have sufficient permissions. This operation can only be performed by a manager of the group.

Why do you as an administrator get that error when trying to add members? Why do your users still get an error trying to update their groups? If you open the properties of the distribution group and look at the Group Information tab, you will notice that the appropriate users are not present under the managed by list. One reason they are missing is the script used to grant users permission to modify groups in Exchange 2007 did just that and only that. Exchange 2007 also does not add anyone when the group is created (Exchange 2010 automatically adds the group creator).

Organizations that have many distribution groups and assigned permissions to modify these groups to several users have a daunting task to resolve this issue. Unless there was a way to script a solution…

The first step for resolving this issue is identifying the groups that have had their permissions modified to allow users to update group membership. To do this we want to identify all groups where there are permissions that are not inherited (we added the permission using the Add-AdPermission cmdlet), the access right is WriteProperty, and the Properties include Member (everything that was used in Exchange 2007 to grant permissions).

$groups = Get-DistributionGroup | Get-ADPermission | where { $_.Isinherited -eq $false -and $_.AccessRights -like "WriteProperty" -and $_.Properties –like “Member” }

Now our variable $groups contains a list of permissions that includes the group name and the user. We need to process each entry converting the User attribute value into a usable string variable and then using that value to update the group’s ManagedBy value. If anyone has updated a user’s email addresses using the shell you will see the similarity here. The script takes the adds our new entry into the ManagedBy array and then updates the group's ManagedBy attribute with the updated array.

foreach($g in $groups) { $user = $g.user.tostring().substring($g.user.tostring().indexof("\") + 1);
$group = Get-DistributionGroup $g.identity;
$group.ManagedBy += ( Get-Mailbox $user).distinguishedName; Set-DistributionGroup $group -ManagedBy $group.ManagedBy }

I recommend testing this script prior to running it in production. If you do not have a lab environment, you can create test distribution groups in a separate organizational unit and update the Get-DistributionGroups to include the –OrganizationalUnit switch.

No comments: