Delegating Exchange 2007 Distribution List Management to End Users

corelanc0d3r May 21, 2009

One of the challenges that result from operating a messaging environment is making sure the company’s internal Distribution Lists stay up to date.  In most corporate environments, this is a task that is typically assigned to IT staff, however it does not have to be like this.  At least, not for regular Distribution Lists.  (It may be a bit complicated for Dynamic Distribution Lists, but hey – they are dynamic so there should be no reason to delegate management access to a Dynamic Distribution List)

There may be good reasons to delegate this task to end users, and ideally these users should be able to use their Outlook client to manage the company Distribution Lists.  Imagine that you can ask Marketing people to keep the Marketing distribution list up to date… or ask Sales support people to do the same for Sales DL’s… and so on…  Wouldn’t that be great ?    Luckily enough, it’s not that complicated to make this happen.

Whether you have installed Exchange 2007 into your ‘account domain’, or whether you are using a dedicated Exchange forest (and have at least a one way trust between the account domain and Exchange forest), the procedure will be exactly the same.

In short, this is what needs to be done

– in the account domain, create groups that contain the users that will be allowed to modify Distribution List membership.  If you have multiple distribution lists and if you want to allow different people to manage these distribution lists, you may have to create multiple AD groups

– in the domain that ‘holds’ Exchange, edit the security of the Distribution Lists and grant the newly created AD groups (from the account domain) access to the Distribution List

Set up permissions

First of all, you need to figure out who will be allowed to modify DL membership on a specific DL.  Create management groups in your account domain and populate them with the user accounts that should be granted access.

Let’s say you have created a group call “DL Membership Editors” in your account domain and populated it with one or more users that are allowed to edit the DL membership.

image

image

Open Active Directory Users & Computers in the domain that ‘holds’ the Exchange environment. In an integrated solution, this is the account domain. When you are using a dedicated Exchange Resource Forest, you need to make the changes on the Resource Forest.

Next, find the Active Directory object that refers to the Distribution List. In my example, I’m using a Distribution List called “Marketing”, which contains no members so far.

Edit the properties of the DL object, go to the security tabsheet and click the ’advanced’ button.

Click Add

Enter the AD account domain group name that you want to delegate access to.  (If you are configuring access in the Resource Forest, you’ll have to use the “Locations” button first to select the account domain.

In the next screen, choose “properties”, set “Apply onto” to “Group Objects” and enable “Write Members”

image

Click OK twice to save the changes. The group “DL Membership Editors” should now have “Special Permissions” set on the Distribution List object.

image

You can do the same with Powershell as well :

Add-ADPermission -Id <name of distribution group> -User <name of user or group> -AccessRights WriteProperty -Properties "Member"

In the “name of user or group” parameter, enter the name of the AD group in the account domain.  So if you have a dedicated Exchange forest, the command should include the name of the domain :

Add-ADPermission -id “Marketing” -User “ACCDOMAIN\DL Membership Editors” -AccessRights WriteProperty -Properties “Member”

(Note that you need to use the Display name of the Group in the powershell command)

 

Test DL management

Now open Outlook on the computer of one of the users that is a member of the “DL Membership Editors”. I have noticed that, if Outlook was still running at the time the security was changed, the user will have to close Outlook & relaunch Outlook before the changes are applied.

Open the Global Address Book, find the group that needs to have its membership changed.

image

Edit the properties and click on “Modify Members”

image

Add/Remove members and click OK twice to save the changes.

image

That’s all there’s to it

Similar/Related posts:

Default ThumbnailMerging & Syncing multiple Active Directory databases into one ADAM instance Default ThumbnailExchange 2007 Administration : Setup and Delegation Default ThumbnailIcons Shortcuts and SendTo items in Windows XP/2003/Vista/2008 Default ThumbnailUsing custom/non-Performance Counter data to build graphs in Operations Manager 2007

Tags:

, , , , , , , , , , , , , , , , , , ,

2 thoughts on “Delegating Exchange 2007 Distribution List Management to End Users”

  2. well, it did work fine for me – perhaps you just need to wait for AD to properly replicate, close the Outlook client and fire it up again ?

    I have tested this on individual DL’s (without setting permissions on the OU level) and it worked fine

    Not sure why it is not working for you…

Comments are closed.