BACKGROUND
In Exchange 2010, if you make an end user a distribution list owner they are capable of managing that list via OWA. However, the default MyDistributionGroups management role that gets assigned gives too many rights. The user would be allowed to not only manage their group but create and delete other distribution groups. That role provisions the user to be capable of running Set-DistributionGroup; Set-Group; Set-DynamicDistributionGroup; New-DistributionGroup among other commands to manage members.
There are plenty of articles circling around on how to create a new default management role that does not include the New-DistributionGroup and Remove-DistributionGroup commands.
However, this still allows the group owner to modify settings like the DisplayName and Alias. This could lead to a user creating a new email address for the distribution list and causing inadvertent issues.
In testing, I have created a management role that is based off the original MyDistributionGroups role, but does not include the commands New-DistributionGroup, Remove-DistributionGroup, and Set-Group. This allows the group owner to still manage the group, not delete or create new groups, and not change the Active Directory side settings such as the DisplayName and add or remove additional owners.
Unfortunately, it still allows them to change the Alias.
QUESTION
Does anyone know of a way to restrict group owners in Exchange 2010 so that they can manage members but not change properties like the Alias?
