I was asked the above question the other day – essentially, how do you have a group of people with delegated access to manage all aspects of Distribution Lists within Exchange 2010?
There was a desire to devolve the management of its Distribution Lists the HR section, therefore releasing a number of members from the 3rd tier support group.
Luckily there is a built-in RBAC role in Exchange 2012 called “Manage Distribution Groups” which is designed to allow for delegated control of distribution management and creation – which by default has no members (or groups) – therefore it is relatively straight forward to add in a custom Universal Security Group in AD to the RBAC role to allow for member of the security group to administer.
Create a Universal Security Group in Active Directory
In order to take advantage of the built in RBAC group you should create a universal security group within your active directory environment which will contain the user accounts that will have the permissions to create / modify Distribution lists.
You can of course assign members to the RBAC role on a per account basis, but this ultimately becomes difficult to manage – so the group based approach is highly recommended.
In order to setup the security group that will contain the user accounts that you wish to delegate administrative permissions to – open Active Directory Users and Computers and “right click” on the location where you would like to store the security group – then from the context menu that appears choose [ New –> Group ] – see below:
From the “New Object – Group” properties dialog box fill in the information (Group Name and Group Name (pre-Windows 2000) as you wish, ensure that the group scope is set to “Universal” and the “Group Type” is set to “Security” – see below
You can now add the members of the security group that you wish to manage all distribution groups within the directory and Exchange environment.
When you are done, click on the “OK” button and close ADUC.
Exchange Management Shell Command
Open the Exchange Management Shell and type in the following command:
Add-RoleGroupMember “Manage Distribution Groups” –Member “<name of the security group>”
Where the “<name of security group>” is the name of the group that you created in AD – see below
After these changes have been made, the members of the AD security group that you defined will be able to manage distribution lists either from Outlook, or within the Exchange Control Panel (ECP) – see below