Prevent Users from Creating Groups in Office 365

28 thoughts on “Prevent Users from Creating Groups in Office 365”

  1. Great Stuff – this is exactly what I wanted to do! – Before I go ahead and run the scripts, I’ve got 2 OWA Policies setup in the system – OwaMailboxPolicy-Default (Which is assigned to all staff) and Students_MailboxPolicy (Which is assigned to all students)

    If I want to disable students from creating new groups do I change the line -Identity OwaMailboxPolicy-Default to -Identity Students_MailboxPolicy

    Will this remove any other settings that I already have place in my Students policy or just add the new restriction to what already exists?

    Thanks

    Matt

    1. Hi Matt,
      Yes you can do this or you can do it to all of the OWA Policies Get-OwaMailboxPolicy | Set-OwaMailboxPolicy -GroupCreationEnabled $false

  2. Hi Alex, Is this parameter still working?

    I’ve tried to change it along with ‘FacebookEnabled’ on our default OwaMailboxPolicy and a test policy with no luck on either. Both parameters throw back a cannot be found error.

    Other parameters such as CalendarEnabled can be edited fine though?

  3. Thanks for the guide above. I have hit this problem so my policy was called Student Role Assignment Policy and when I ran set-OwaMailboxPolicy -GroupCreationEnabled $false -Identity Student Role Assignment Policy

    I got an error

    A positional parameter cannot be found that accepts argument ‘Role’.
    + CategoryInfo : InvalidArgument: (:) [Set-OwaMailboxPolicy], Par
    ameterBindingException
    + FullyQualifiedErrorId : PositionalParameterNotFound,Set-OwaMailboxPolicy
    + PSComputerName : pod51031psh.outlook.com

    I assumed that it was because of the spaces in the name so I changed the name to Student_Role_Assignment_Policy

    Now when I run

    set-OwaMailboxPolicy -GroupCreationEnabled $false -Identity Student_Role_Assignment_Policy

    I get an error

    The operation couldn’t be performed because object
    ‘Student_Role_Assignment_Policy’ couldn’t be found on
    ‘AMSPR06A001DC06.EURPR06A001.prod.outlook.com’.
    + CategoryInfo : NotSpecified: (:) [Set-OwaMailboxPolicy], Manage
    mentObjectNotFoundException
    + FullyQualifiedErrorId : [Server=DB4PR06MB347,RequestId=8de18193-4f3e-4cc
    a-a503-0876289baf02,TimeStamp=27/11/2014 13:59:15] [FailureCategory=Cmdlet
    -ManagementObjectNotFoundException] B50E92DF,Microsoft.Exchange.Management
    .Tasks.SetOwaMailboxPolicy
    + PSComputerName : pod51031psh.outlook.com

    Do you have any advice?

  4. Hi Mark,
    As you have a space in your OWA Policy you need to put the name speech marks. Examples below:

    set-OwaMailboxPolicy -GroupCreationEnabled $false -Identity “Student Role Assignment Policy”

  5. What if you want it off for all users except the Admin account? I ran the script and it worked but has also prevented me from creating groups.

  6. Hi Alex

    I have followed what you said renaming my policy to Student Role Assignment Policy

    Then I ran the cmd set-OwaMailboxPolicy -GroupCreationEnabled $false -Identity “Student Role Assignment Policy”

    But I am getting the following error

    The operation couldn’t be performed because object ‘Student Role Assignment Policy’ couldn’t be found on
    ‘AMSPR06A001DC09.EURPR06A001.prod.outlook.com’.
    + CategoryInfo : NotSpecified: (:) [Set-OwaMailboxPolicy], ManagementObjectNotFoundException
    + FullyQualifiedErrorId : [Server=DB4PR06MB347,RequestId=3af46dff-8fbd-4cce-883a-a1594c52f3bf,TimeStamp=09/12/2014
    08:51:12] [FailureCategory=Cmdlet-ManagementObjectNotFoundException] EB57B62B,Microsoft.Exchange.Management.Tasks
    .SetOwaMailboxPolicy
    + PSComputerName : pod51031psh.outlook.com

  7. Thank you for this. One question, who do I run a query that outputs the members of a specific Outlook Web App policy?

  8. Hi guys,

    I am trying to stop our students and staff from making groups…however just need a bit of help if possible.

    I have created 3 policies…and now I want to apply, however I keep getting an error.

    Policies are:

    IT Admin Policy
    Staff Policy
    Student Policy

    I can change the policy using Get-Mailbox (mailbox user) | where { $_.RoleAssignmentPolicy -Eq “Default Role Assignment Policy” } | Set-Mailbox -RoleAssignmentPolicy “Staff Policy”

    and this in theory changes the policy, however the user is still able to create groups. I have unchecked the boxes to create groups within the policies themselves.

    Any ideas? Or how I could use set-OwaMailboxPolicy -GroupCreationEnabled $false -Identity OwaMailboxPolicy-Default in my scenario?

    Thanks in advance for help and replies.

    Ajay

  9. Hi Ajay,
    As you’ve created 3 policies, you need to set the group creation policy for each.

    set-OwaMailboxPolicy -GroupCreationEnabled $false -Identity -Identity “IT Admin Policy”
    set-OwaMailboxPolicy -GroupCreationEnabled $false -Identity -Identity “Staff Policy”
    set-OwaMailboxPolicy -GroupCreationEnabled $false -Identity -Identity “Student Policy”

    Once you’ve done, you can then assign it to the user.

    set-mailbox -identity Username -RoleAssignmentPolicy “Staff Policy”

  10. Hi guys…

    I need disable the option to create public group to user, but the private group option i need to remain enable.

    Regards,

    Paulo Mira

  11. hi

    thanks for the info. i get an error stating that “WARNING: The command completed successfully but no settings of ‘Student_OwaMailboxPolicy’ have been modified.”

    any suggestions would be very much appreciated.

    thanks

    1. hi,

      for anyone else getting the same error, it is because the setting is already in place. the commands also take quite a while to apply, therefore testing your changes in the live environment immediately after running the command makes it seem that they aren’t working.

      you can use the “Get-OwaMailboxPolicy” command and look for the “GroupCreationEnabled” line to see if has made the change.

      to apply custom policies to groups of users, the following site has good info. https://msdn.microsoft.com/en-us/library/gg981506(v=exchsrvcs.149).aspx#AssignToMany

      thanks again, you’ve saved me from days and days of manual changes!

  12. Hi, Does this apply to Office 365 hybrid users running Outlook 2010. 2013 and 2016? We want to shut down the ability for end-users to create Office 365 Groups.

    I keep getting “The role assignment policy “Oakwood” wasn’t found… while in powershell

  13. Hi Alex,

    Thanks for sharing.

    We have also come across this problem and have been able to rectify the problem by doing the following. ( This may help someone who have slimier issue)
    In our scenario, we have a domain for our staff and students. The domains are as follows;
    Staff: j.smith@school.com.au
    Students: j.smith@2017.school.com.au (Graduation year before the domain name)

    We only want disable group creation permission only for students.

    1. Install the preview version of the Azure Active Directory Module for Windows PowerShell ( https://support.office.com/en-us/article/Control-who-can-create-Office-365-Groups-4c46c8cb-17d0-44b5-9776-005fced8e618 )

    2. New-OwaMailboxPolicy -Name “StuRoleAssignmentPolicy”

    3. Set-OwaMailboxPolicy -Identity StuRoleAssignmentPolicy -GroupCreationEnabled $false

    4. Get-CASMailbox -ResultSize unlimited | WHERE {$_.RecipientTypeDetails -eq “UserMailbox” -and $_.PrimarySMTPAddress -like “*@2017.school.com.au”} | Set-CASMailbox -OWAMailboxPolicy “StuRoleAssignmentPolicy”

    Hope it helps someone..!

    1. What would I need to change here to apply the above the a different attribute for example the active directory “Office” attribute populated with “ClassB” or Users from a different GAL?

  14. Is it possible to set the OWA policies to a security group? So that i don’t have to remeber to assign permissions for a new member of staff all the time

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.