Forum Discussion

HansYolo's avatar
HansYolo
Copper Contributor
Aug 13, 2025

Creation of customrole that allows only creation of Mailenabled Security groups.

Hej Exchange community :)

My first post here and i am also quick to admit that im not really super experienced with Exchange management (been a user of the Gui for many years on a servicedesk)


I am trying to create a custom role in our 2019 onprem exchange installation to give our servicedesk the ability to create mailenabled security groups directly in the gui in Ecp. 

My custom role has access to the cmdlets bellow but im missing something 

Get-ManagementRoleEntry "mygroupname\*"


Enable-DistributionGroup       
Remove-DistributionGroupMember 
Add-DistributionGroupMember    
Remove-DistributionGroup       
Set-DistributionGroup          
Get-OrganizationalUnit         
Get-Group                      
Get-Recipient                  
Get-DistributionGroup          
New-DistributionGroup

 

The test user i have set up in order to test this gets access to create distributionsgroups sure enough but the security groups option is not there. 

as i have understand it is the "New-DistributionGroup" cmdlet with the parameter type-security that allows for the creation of the security groups, but when i try to add that with 

After a few hours spent googling and asking different gpt (and sorting thro the gpt hallusinations) i'm at a loss for what the issue might be.

Anyone got any ideas what i'm missing?


Thanks in advance :)

admin
Custom Roles
Exchange Server

3 Replies

Sort By
  • TaeYounAnn's avatar
    TaeYounAnn
    MVP
    Aug 22, 2025

    HansYolo​ 

    In Exchange, mail-enabled security groups and regular distribution groups are created through the same cmdlet (New-DistributionGroup), so limiting the creation to only security groups is not supported.

    • HansYolo's avatar
      HansYolo
      Copper Contributor
      Aug 28, 2025

      Thanks for the anwser :) TaeYounAnn

      I'm more than fine with allowing the custom role to create ordinarie distributionsgroups aswell but the role can ONLY create normal distribution groups now with the Gui. 

      to my understanding allowing New-DistributionGroup would allow the members of the role to create both secuirty groups in the gui and distributiongroups but that is not the case. 

      Didnt wanna do the whole screen as a screenshot and post it here but this is from our ECP and the option to create security groups is not in there :/

       

      • TaeYounAnn's avatar
        TaeYounAnn
        MVP
        Aug 29, 2025

        Thanks for answer HansYolo​ 

        This is because only distribution groups are visible in ECP.

        New-DistributionGroup is designed to create distribution groups by default.

        Security groups are created based on New-DistributionGroup parameters.

        The order is as follows:

        New-DistributionGroup (Base)

        New-DistributionGroup -Type Security (Security Group)

        Therefore, it is impossible to restrict or expose only security groups through RBAC in the GUI.

Resources