Creating an RBAC group with only access to Create, Manage and Remove Distribution Groups
Here in the below scenario, we need to restrict the helpdesk to only have permission to create, manage and remove the distribution groups.
Steps to be followed:
Create a new management role “distribution”. We have used “Distribution Groups” as parent group for the creation of this management role.
New-ManagementRole -Name “distribution” -Parent “Distribution Groups”
This Management Role will provide access to Dynamic Distribution Groups too, we need to restrict that by removing the following role entries.
Get-ManagementRoleEntry “distribution\*” | ? {$_.name -like “Set-DynamicDistributionGroup”} | Remove-ManagementRoleEntry
Get-ManagementRoleEntry “distribution\*” | ? {$_.name -like “Set-OrganizationConfig”} | Remove-ManagementRoleEntry
Get-ManagementRoleEntry “distribution\*” | ? {$_.name -like “Set-DynamicDistributionGroup”} | Remove-ManagementRoleEntry
Get-ManagementRoleEntry “distribution\*” | ? {$_.name -like “Remove-DynamicDistributionGroup”} | Remove-ManagementRoleEntry
Get-ManagementRoleEntry “distribution\*” | ? {$_.name -like “New-DynamicDistributionGroup”} | Remove-ManagementRoleEntry
Get-ManagementRoleEntry “distribution\*” | ? {$_.name -like “Get-AcceptedDomain”} | Remove-ManagementRoleEntry
Now Create a new Role group and add required helpdesk administrators to this role group.
New-RoleGroup “DL Create Edit Delete” -Roles “Distribution”
Ratish Nair
Microsoft MVP | Exchange Server
Team @MSExchangeGuru.com