Delegating Exchange 2007 Distribution List Management to End Users
Author: Peter Van Eeckhoutte
Add this post to Your Favorite Posts | Print This Post
| 
This page as PDF
(1 votes, average: 5.00 out of 5)You need to be a registered member to rate this post.
Loading ...One of the challenges that result from operating a messaging environment is making sure the company’s internal Distribution Lists stay up to date. In most corporate environments, this is a task that is typically assigned to IT staff, however it does not have to be like this. At least, not for regular Distribution Lists. (It may be a bit complicated for Dynamic Distribution Lists, but hey – they are dynamic so there should be no reason to delegate management access to a Dynamic Distribution List)
There may be good reasons to delegate this task to end users, and ideally these users should be able to use their Outlook client to manage the company Distribution Lists. Imagine that you can ask Marketing people to keep the Marketing distribution list up to date… or ask Sales support people to do the same for Sales DL’s… and so on… Wouldn’t that be great ? Luckily enough, it’s not that complicated to make this happen.
Whether you have installed Exchange 2007 into your ‘account domain’, or whether you are using a dedicated Exchange forest (and have at least a one way trust between the account domain and Exchange forest), the procedure will be exactly the same.
In short, this is what needs to be done
- in the account domain, create groups that contain the users that will be allowed to modify Distribution List membership. If you have multiple distribution lists and if you want to allow different people to manage these distribution lists, you may have to create multiple AD groups
- in the domain that ‘holds’ Exchange, edit the security of the Distribution Lists and grant the newly created AD groups (from the account domain) access to the Distribution List
Set up permissions
First of all, you need to figure out who will be allowed to modify DL membership on a specific DL. Create management groups in your account domain and populate them with the user accounts that should be granted access.
Let’s say you have created a group call “DL Membership Editors” in your account domain and populated it with one or more users that are allowed to edit the DL membership.
Open Active Directory Users & Computers in the domain that ‘holds’ the Exchange environment. In an integrated solution, this is the account domain. When you are using a dedicated Exchange Resource Forest, you need to make the changes on the Resource Forest.
Next, find the Active Directory object that refers to the Distribution List. In my example, I’m using a Distribution List called “Marketing”, which contains no members so far.
Edit the properties of the DL object, go to the security tabsheet and click the ’advanced’ button.
Click Add
Enter the AD account domain group name that you want to delegate access to. (If you are configuring access in the Resource Forest, you’ll have to use the “Locations” button first to select the account domain.
In the next screen, choose “properties”, set “Apply onto” to “Group Objects” and enable “Write Members”
Click OK twice to save the changes. The group “DL Membership Editors” should now have “Special Permissions” set on the Distribution List object.
You can do the same with Powershell as well :
Add-ADPermission
-Id <name of distribution group>
-User <name of user or group>
-AccessRights WriteProperty
-Properties "Member"
In the “name of user or group” parameter, enter the name of the AD group in the account domain. So if you have a dedicated Exchange forest, the command should include the name of the domain :
Add-ADPermission -id “Marketing” -User “ACCDOMAIN\DL Membership Editors” -AccessRights WriteProperty -Properties “Member”
(Note that you need to use the Display name of the Group in the powershell command)
Test DL management
Now open Outlook on the computer of one of the users that is a member of the “DL Membership Editors”. I have noticed that, if Outlook was still running at the time the security was changed, the user will have to close Outlook & relaunch Outlook before the changes are applied.
Open the Global Address Book, find the group that needs to have its membership changed.
Edit the properties and click on “Modify Members”
Add/Remove members and click OK twice to save the changes.
That’s all there’s to it
© 2009, Peter Van Eeckhoutte. All rights reserved. Terms of Use are applicable to all content on this blog. If you want to use/reuse parts of the content on this blog, you must provide a link to the original content on this blog.
Posted in MS Exchange, Outlook | 
Tags: 2007, account domain, delegate, distribution list, distribution lists, edit, management, membership, membership editors, modify, MS Exchange, Outlook, resource forest
I regret that this is not working for me. The user gets “do not have sufficient permission to perform this operation on this object”. Any thoughts?
I found this other article here: http://searchexchange.techtarget.com/news/article/0,289142,sid43_gci1119764,00.html that suggests that I have to give permissions at the OU level.
well, it did work fine for me – perhaps you just need to wait for AD to properly replicate, close the Outlook client and fire it up again ?
I have tested this on individual DL’s (without setting permissions on the OU level) and it worked fine
Not sure why it is not working for you…