HI,
You may consider to use RBAC, refer to this document:
https://technet.microsoft.com/en-us/library/dd298183(v=exchg.141).aspx
Following are my steps for reference:
Create a new management role group
New-RoleGroup Name DGManagement
Create a new management role
New-ManagementRole -Parent "Distribution Groups" -Name "DG role"
Configure the role entry with necessary cmdlets.
Use this command to remove all cmdlets except Set-DistributionGroup
Get-ManagementRoleEntry DG role\* | where {$_.name ne Set-DistributionGroup} | Remove-ManagementRoleEntry
Add necessary cmdlets one by one
Add-ManagementRoleEntry "DG Role\Get-Recipient"
Add-ManagementRoleEntry "DG Role\Set-Group"
Add-ManagementRoleEntry "DG Role\Get-User"
Add-ManagementRoleEntry "DG Role\Get-Group"
Add-ManagementRoleEntry "DG Role\Get-DistributionGroup"
Configure the role entry with necessary parameters to manage the "manage" tab, remove all unnecessary parameters except ManagedBy
Set-ManagementRoleEntry "DG Role\Set-DistributionGroup" Parameters AcceptMessagesOnlyFrom, AcceptMessagesOnlyFromDLMembers, AcceptMessagesOnlyFromSendersOrMembers, Alias, BypassModerationFromSendersOrMembers, BypassNestedModerationEnabled, Confirm,
CustomAttribute1, CustomAttribute10, CustomAttribute11, CustomAttribute12, CustomAttribute13, CustomAttribute14, CustomAttribute15, CustomAttribute2, CustomAttribute3, CustomAttribute4, CustomAttribute5, CustomAttribute6, CustomAttribute7, CustomAttribute8,
CustomAttribute9, Debug, DisplayName, DomainController, EmailAddresses, EmailAddressPolicyEnabled, ErrorAction, ErrorVariable, ExpansionServer, ExtensionCustomAttribute1, ExtensionCustomAttribute2, ExtensionCustomAttribute3, ExtensionCustomAttribute4, ExtensionCustomAttribute5,
ForceUpgrade, GrantSendOnBehalfTo, HiddenFromAddressListsEnabled, Identity, IgnoreDefaultScope, IgnoreNamingPolicy, MailTip, MailTipTranslations, MaxReceiveSize, MaxSendSize, MemberDepartRestriction, MemberJoinRestriction, ModeratedBy, ModerationEnabled, Name,
OutBuffer, OutVariable, PrimarySmtpAddress, RejectMessagesFrom, RejectMessagesFromDLMembers, RejectMessagesFromSendersOrMembers, ReportToManagerEnabled, ReportToOriginatorEnabled, RequireSenderAuthenticationEnabled, RoomList, SamAccountName, SendModerationNotifications,
SendOofMessageToOriginatorEnabled, SimpleDisplayName, Verbose, WarningAction, WarningVariable, WhatIf, WindowsEmailAddress RemoveParameter
Check with this command
Get-ManagementRoleEntry "DG Role\Set-DistributionGroup" | fl parameters
Add this new management role to new management role group.
- In the ECP, navigate to Roles & Auditing > Adminitrators Roles.
- Select the DGManagementrole group, and then click
Details.
- In the Roles section, add the DG Role.
- When youve finished adding roles to the role group, click Save.
Add distribution group or user to a member of the new management role group.
- In the EAC, navigate to Roles & Auditing > Administrator Roles.
- Select the DGManagement role group, and then click
Details.
- In the Members section, select the group or user you want to add.
- When youve finished adding members to the role group, click Save.
When these users login ECP, results should be like the following screen shoot, then can only edit ownership tab.
Best Regards.