Exchange 2010 SP1 Distribution Group Membership Management

Posted on 2011-04-28
Medium Priority
Last Modified: 2012-05-11
I am looking for a way to assign the right to modify distribution group membership, in Outlook through Exchange 2010, SP1 to a group, rather than an individual.

We have several hundred DLs which in E2K3 where configured to allowed membership modification by members of a group, which itself has a large number of members. I have not found a way in Exchange 2010 to recreate this configuration.

I tried running...

Set-DistributionGroup “GroupName” –Managedby “Security Group Name” – BypassSecurityGroupManagerCheck

….I get an error indicating that the owner of the group must have recipient type details that equal UserMailbox, LegacyMailbox, SharedMailbox, MailUser, LinkedMailbox, RemoteUser, RemoteSharedMailbox, MailContact, or User.

I tried running....

Add-ADPermission -Identity "DL Name" -User "Management Group Name" -AccessRights WriteProperty - Properties Member

....and got the following error...

Active Directory operation failed on "DomainControllerName". This error is not retriable. Additional information: Access i
s denied.
Active directory response: 00000005: SecErr: DSID-03151E07, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
    + CategoryInfo          : WriteError: (0:Int32) [Add-ADPermission], ADOperationException
    + FullyQualifiedErrorId : D0CDD1B8,Microsoft.Exchange.Management.RecipientTasks.AddADPermission

....I get this same error even if I specifiy an individual user rather than a management group.

Any help would be appreciated.
Question by:thar0817
  • 2

Author Comment

ID: 35485616
I have discovered that if I go into ADSI Edit, find the distribution group which needs to be managed, and modify the attribute msExchCoManagedByLink to include the distinguished name of the management group – then the management group appears in EMC under Managers – but, it appears with a red X and under organizational unit it indicates “Object not found.”

I assume this means that EMC is not searching for groups, and the permission will never become effective in Exchange.

Am I just screwed here? I don’t know why Microsoft would implement a system in which you are forced to assign permissions to individuals rather than groups.
LVL 37

Accepted Solution

Jamie McKillop earned 2000 total points
ID: 35491458

You can't assign DG management to a group, only an individual user. I'm not sure why Microsoft would set this limitation and I agree it is frustrating. BTW, I would recommend against going into ADSI edit and making changes like you did. If you can't set something through the GUI or powershell, you shouldn't try to circumvent the restrictions by editing the object directly. This has the potential to cause major problems.


Author Comment

ID: 35491635
Thanks. Thats really all I was looking for - someone to confirm what the situation seemed to be. So, I'll take that as an answer.

Agree about ADSI Edit. I wouldn't normally do that. I just modified a test object to try and prove what I thought was going on there......Interestingly, and this is completely unrelated, I have found a few instances in which I had to make a change in ADSI Edit in order to successfully complete a mailbox move to Exchange 2010. On almost all of our user accounts the userPrincipleName attribute is username@domain.net. There are a handfull for which it is only the user name. I had to add the @domain.net in order for the mailbox move to complete successfully. Otherwise I got an error about invalid data. Everything in the GUI seemed consistent and I found no other solution.....Just interesting, but not realted to this case.

Thanks again for your time.

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Want to know how to use Exchange Server Eseutil command? Go through this article as it gives you the know-how.
In this post, I will showcase the steps for how to create groups in Office 365. Office 365 groups allow for ease of flexibility and collaboration between staff members.
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
This video discusses moving either the default database or any database to a new volume.
Suggested Courses
Course of the Month15 days, 11 hours left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question