Corelan Cybersecurity Research

One of the challenges that result from operating a messaging environment is making sure the company’s internal Distribution Lists stay up to date.  In most corporate environments, this is a task that is typically assigned to IT staff, however it does not have to be like this.  At least, not for regular Distribution Lists.  (It may be a bit complicated for Dynamic Distribution Lists, but hey – they are dynamic so there should be no reason to delegate management access to a Dynamic Distribution List)

There may be good reasons to delegate this task to end users, and ideally these users should be able to use their Outlook client to manage the company Distribution Lists.  Imagine that you can ask Marketing people to keep the Marketing distribution list up to date… or ask Sales support people to do the same for Sales DL’s… and so on…  Wouldn’t that be great ?    Luckily enough, it’s not that complicated to make this happen.

Whether you have installed Exchange 2007 into your ‘account domain’, or whether you are using a dedicated Exchange forest (and have at least a one way trust between the account domain and Exchange forest), the procedure will be exactly the same.

In short, this is what needs to be done

– in the account domain, create groups that contain the users that will be allowed to modify Distribution List membership.  If you have multiple distribution lists and if you want to allow different people to manage these distribution lists, you may have to create multiple AD groups

– in the domain that ‘holds’ Exchange, edit the security of the Distribution Lists and grant the newly created AD groups (from the account domain) access to the Distribution List

Set up permissions

First of all, you need to figure out who will be allowed to modify DL membership on a specific DL.  Create management groups in your account domain and populate them with the user accounts that should be granted access.

Let’s say you have created a group call “DL Membership Editors” in your account domain and populated it with one or more users that are allowed to edit the DL membership.

Open Active Directory Users & Computers in the domain that ‘holds’ the Exchange environment. In an integrated solution, this is the account domain. When you are using a dedicated Exchange Resource Forest, you need to make the changes on the Resource Forest.

Next, find the Active Directory object that refers to the Distribution List. In my example, I’m using a Distribution List called “Marketing”, which contains no members so far.

Edit the properties of the DL object, go to the security tabsheet and click the ’advanced’ button.

Click Add

Enter the AD account domain group name that you want to delegate access to.  (If you are configuring access in the Resource Forest, you’ll have to use the “Locations” button first to select the account domain.

In the next screen, choose “properties”, set “Apply onto” to “Group Objects” and enable “Write Members”

Click OK twice to save the changes. The group “DL Membership Editors” should now have “Special Permissions” set on the Distribution List object.

You can do the same with Powershell as well :

Add-ADPermission -Id  -User  -AccessRights WriteProperty -Properties "Member"

In the “name of user or group” parameter, enter the name of the AD group in the account domain.  So if you have a dedicated Exchange forest, the command should include the name of the domain :

Add-ADPermission -id “Marketing” -User “ACCDOMAIN\DL Membership Editors” -AccessRights WriteProperty -Properties “Member”

(Note that you need to use the Display name of the Group in the powershell command)

Test DL management

Now open Outlook on the computer of one of the users that is a member of the “DL Membership Editors”. I have noticed that, if Outlook was still running at the time the security was changed, the user will have to close Outlook & relaunch Outlook before the changes are applied.

Open the Global Address Book, find the group that needs to have its membership changed.

Edit the properties and click on “Modify Members”

Add/Remove members and click OK twice to save the changes.

That’s all there’s to it

© 2009 – 2021, Peter Van Eeckhoutte (corelanc0d3r). All rights reserved.

Similar/Related posts:

Exchange 2007 Administration : Users, Groups and Mailboxes Exchange 2007 : Resource Room Mailboxes Fixing Exchange 2007 Offline Address Book generation (oalgen) and distribution issues Exchange 2007 Administration : Setup and Delegation Exchange 2007 – Multi Account Domain to Single Resource Forest replication with IIFP and custom Rules Extension