I have a need to have some help desk folks create and manage Exchange 2010 recipients. But I also need those users to be restricted from changing Distribution Group membership. When I looked at the Management Roles I found that none of them allowed me to allow recipient creation, but not allow distribution group addition. From "Built-in Management Roles" article on Technet: " The Mail Recipients management role enables administrators to manage existing mailboxes, mail users, and mail contacts in an organization. This role can't create these recipients. Use the Mail Recipient Creation role to create them." " The Mail Recipient Creation management role enables administrators to create mailboxes, mail users, mail contacts, distribution groups, and dynamic distribution groups in an organization. This role can be combined with the Mail Recipients role to enable the creation and management of recipients." Does anyone have a suggestion for how I might solve this puzzle?Todd C. Brown Bell Techlogix

hi, maybe you can assign deny permission on your distribution group security for these management roles. just a suggest, i didnt try it :)) regards, Mumin CICEK | www.cozumpark.com | Please click Vote As Helpful if it is helpful for you and Propose as Answer!!!

How woold one assign 'deny' to adding to distribution groups?Todd C. Brown Bell Techlogix

Hi Todd, I would suggest that you could custom a role group and add the help desk folks as a memeber. As we known, if we use the "mail recipient creation role", it will let the users have more permission than we expected, so we could remove some entries from the role, and create a new role. We need confirm what entries we should remove, then we could get some information from below: get-managementroleentry "distribution groups\*" such as: new-distributiongroup new-dynamicdistributiongroup add-distributiongroupmemeber ... I also use the command: get-managementroleentry "mail recipient creation\*"; and can not find the above referred commands related with the distribution, so, I am not confirm what you said, although the doc write the role could do it. I would suggest that you could do some tests, create a new role group, and add the role: mail recipient creation mail recipient If the users could create, modify, manage the distribution groups, then we could do more research. Regards! GavinPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.