Letting users manage their own email groups is a great thing. It provides IT staff with more time to perform more skilled tasks, and it also empowers end users to manage one important aspect of email and communication for their peers and themselves, allowing them to make changes instantly all without relying on someone else to do it for them. That employee is able use Outlook's Global Address List (GAL) in the Address Book to add and remove members of the group with an easy-to-use graphical interface in a program they're already using for emails:
The 'Owner' field indicates the manager of the group which lets end users know who looks after the members of the group.
To set this up, you'll need to use Active Directory Users and Computers. From there, find the group in question. In 'Properties', under the 'Managed By' tab, you will see the option 'Name' along with a 'Change' button. The 'Change' button is where you can select the user as a manager of the group. You'll also need to select the box "Manager can update membership list" to give the selected manager permission to add and remove members in the group.
Then, press "OK" and you're done!
This is pretty simple so far, but what if you want to give helpdesk staff access to setting and changing managers? If you don't care about security then you could make them a domain admin, however, best practice typically requires the minimum amount of security. There are two permissions required for this. The first: "Write Managed By' which they need to be able to write to the "Managed By" area. This will allow them to change the manager, however, it is not enough to simply tick the "Manager can update membership list" box. At first this may seem a little unclear and helpdesk staff may see the error "An error was encountered when trying to set the correct security settings for this manager to manage this object." This hints at more security settings required, such as "Modify Permissions".
"Modify Permissions" is required because when you tick the "Manager can update membership list" option, you're actually performing the action of adding the manager to the security list on the group, and granting "Write Members" access to them. You can see this yourself if you tick the box, close the group re-open it, and check the settings tab. The manager will now appear with their own security settings.
Because you typically don't want to set the security individually per group, you can give helpdesk staff this access at a higher part of your Active Directory Organizational Unit structure, and let the permissions filter down.
To do this, go to the properties at the highest level you'd like to apply the security settings to (this can be at the very top level of your domain - mydomain.com, but it means by default all groups will be set with this access which I wouldn't recommend, explained further on). From there, click “Advanced” on the "Security" tab and you'll see a window with all the existing permissions where you can click "Add".
On the next screen, begin by selecting the "Principal". This is either the user, or the group that contains the users you'd like to give the access to. We're "Allowing" access, so leave that part as is. For the "Applies to" section, you'll have to trawl through the dropdown list to "Descendant Group Objects." We only want to apply this permission to Groups, because if we left it to just objects, that would be pretty much everything in AD. This setting will let the Principal user(s) add or remove security permissions to the specified objects, which probably isn't something you want to give out. A good reason to not do this for your entire AD environment is giving them access to be able to add themselves to the Domain Administrators group!
The last thing to do is tick 'Modify Permissions' and press "OK" three times. If you have a large amount of objects to update, this may take a little while to apply the new permissions to every object.
I also recommend using the Notes field on each group to record who the actual Owner of the group is as often that it is different from the Manager. The Manager is the one who actually makes the changes themselves, whereas if they are unavailable you may want to have someone get approval from for changes to the group.
Hopefully this will save the admins out there who still manage their entire company's email groups manually some quality time.
If you also find yourself manually generating reports and monitoring your exchange server then take a look at Mailscape - A unique and innovative Exchange monitoring and reporting management tool that combines all the key elements for Exchange monitoring, administration, and reporting in a single solution. Give it a shot for 21 days to see if it makes your job easier - Test Drive Mailscape Now