Forum Discussion
Admins are not able to create DLs even with custom "Exchange RBAC" Distribution Groups permission
Admins are not able to create DLs even with custom "Exchange RBAC" Distribution Groups permission
2 Replies
- You have to be a bit more specific here, what is the current configuration and what are aiming to achieve? To troubleshoot issues with RBAC roles, the usual place to start would be the Get-ManagementRole cmdlet, which you can use to filter out all the relevant roles containing a given cmdlet. For example:
Get-ManagementRole -Cmdlet New-DistributionGroup
will give you a list of all roles that have sufficient permissions to create a new DG. Make sure that at least one of the returned roles is assigned to the user(s) in question.VasilMichev Hi, thanks for the reply, I'm a big fan of yours.
In our setup, there are 30+ countries each having their L2 teams and have been given Exchange permissions through country scoped RBAC roles. They have DL permission enabled but not for SG mostly, for some country RBACs both are disabled. When we enabled the latter, they could manage the SGs but not create them. However, they were able to create DLs and ofcourse manage them.
However, we have have a Global L3 team(includes me) who have Exchange Admin roles so they have full rights. But, we do have Default scoped RBACs meant for Country L2 Admins only that has DL permissions and not SG. We identified this issue that this RBAC allows them to create DLs actually. We have another for Mail Recipients but SG permissions aren't enabled in either of them.
That was a reason and having so many custom RBACs took us some time to identify the cause. Thanks again for responding to this query.
