It is common knowledge that by setting the configuration “Managed By” and “Manager can update membership list”, users can be authorized to administrate members of a mailing list in Microsoft Outlook.
However, it gets complicated when multiple persons should be able to update members of the mailing list. But there is a solution…
Three Managers for One Disribution List
First of all we need to create as distribution list. In our example it is “DL-with-multiple-managers”.
But before setting distribution lists with multiple managers, we should take a look at the following attributes:
- Managed By
The configuration of the box “Managed By” only allows the entry of one single user object. The attribute is “single-valued” and can thus only save one value as “Managed By”.
To enable multiple user accounts as manager of a distribution list, Microsoft introduced the attribute “msExchCoManagedByLink”.
The attribute is used automatically (with the correct parameters) as soon as the managers of the list are entered via PowerShell.
With the Powershell cmdlet Set-Distribution-Group, the property “Managed By” of a distribution list can be changed. Usually you just set a user account as manager.
What happens when multiple user-accounts, separated by a comma, are entered?
In this case the account is entered in the attribute “Managed By”.
All other accounts will automatically be entered into the attribute “msExchCoManagedByLink”.
Example with three managers:
The distribution list “DL-with-multiple-managers” gets 3 managers: Sebastian Achen, Lena Baader and Tobias Baier.
We enter them as follows via PowerShell:
Set-DistributionGroup -Identity "DL-with-multiple-managers" -managedby "Sebastian.Achen","Lena.Baader","Tobias.Baier" -BypassSecurityGroupManagerCheck
The attribute msExchCoManagedByLink looks like this:
Lena Baader’s and Tobias Baier’s accounts were entered as expected.
Manager can update membership list
This configuration, however, does not suffice to change memberships.
You have to check the box“Manager can update membership list“.
This is done automatically for the manager as soon as the right “write members” has been assigned for the distribution list.
To enable the secondary managers of member- administration, the authorization has to be given for them as well.
Powershell command for the authorizations:
add-adpermission -Identity DL-with-multiple-managers -User Sebastian.Achen -AccessRights "writeproperty" -Properties "member"
add-adpermission -Identity DL-with-multiple-managers -User Lena.Baader -AccessRights "writeproperty" -Properties "member"
add-adpermission -Identity DL-with-multiple-managers -User Tobias.Baier -AccessRights "writeproperty" -Properties "member"
Check with OWA
It is the easiest way to check the success of the settings with Outlook Web App.
The screenshot below shows an OWA session with an Exchange 2010 Server. The logged in user is the secondary manager Tobias Baier.
In the area “Options > Groups > Public Groups I Own” you can see all distribution lists the user can administrate.
Default Role Assignment Policy
Finally, there is one last small hurdle to overcome. The Exchange 2010/2013 default policy does not automatically allow users to administrate their distribution lists. To make that possible, the “Default Role Assignment Policy” in the ECP (Exchange Control Panel) needs to be changed.
By activating the role “MyDistributionGroupmembership“ the manager of the distribution list gets the permission to edit it.
By respecting those settings, it is possible to configure distribution lists with multiple managers.