In legacy versions of Exchange such as 2003 and 2007, when assigning a user "Managed By" permissions to an Active Directory security group, this allowed the users to manage the groups membership through Microsoft Outlook. However in later reversions of Microsoft Exchange such as 2010 and 2013, simply providing the Managed By permission by default will not provide the user the ability to manage memberships of distribution groups. This behaviour is by design in Exchange Server 2010 and Exchange Server 2013. Role Based Access Control (RBAC) and the associated self-service roles that accompany it were introduced in Exchange Server 2010. To prevent customers from unexpectedly causing problems with group management, the group management self-service role is now set to off by default.
When migrating to Exchange 2010 or Exchange 2013, when a user attempts change group membership for a group they are the owner of using Outlook 2010 or Outlook 2013, they will receive the following error message.
Changes to the distribution list membership cannot be saved. You do not have sufficient permission to perform this operation on this object.
You can turn this feature back on in Exchange 2010 or Exchange 2013 for all users by simply enabling the MyDistributionGroups setting on the Default Role Assignment Policy.
The Default Role Assignment Policy by default is applied to all mailboxes in an Exchange Organisation unless companies have created custom Role Assignment Policies and linked default or custom Management Roles to the custom Role Assignment Policy. To demonstrate this, I have included a screenshot of my Mailbox below showing the Default Role Assignment Policy linked, this should be the same in most organisations unless you have custom RBAC requirements.
Note: The screenshot below is from Exchange 2013 SP1 but this also applies to Exchange 2010 which you will find by navigating through Exchange Management Console.
Now adding the option "MyDistributionGroups" to the Default Role Assignment Policy will provide all users with this policy linked to perform the following tasks:
Introducing Manage-GroupManagementRole.ps1
Microsoft heard the pain customers were having with the default option made available in the RBAC Default Role Assignment Policy and as a result created a script called "Manage-GroupManagementRole.ps1" - written by Matthew Byrd from Microsoft. This script is for a default deployment of Exchange 2010 or 2013 where all users have the Default Role Assignment policy and just want to be able to add/remove users from distribution groups through Microsoft Outlook for which they are owners of - just like they did before! A copy of the script can be found here:
http://gallery.technet.microsoft.com/scriptcenter/8c22734a-b237-4bba-ada5-74a49321f159
This script does what I explained above for you automatically including:
.\Manage-GroupManagementRole.ps1 -CreateGroup -RemoveGroup
This will create the management role called "MyDistrubtionGroupsManagement" and assign it to the "Default Role Assignment Policy" to apply to all users in the domain.
After running the script, people will be able to change Group Membership of distribution lists using Microsoft Outlook for only groups for which they are under the "Managed By" / "Ownership" attribute - just like how it was in previous versions of Exchange!
Some Gotcha's
For this functionality the Mail Enabled Group must be set as a Universal Group Scope. Domain Local or Global Groups do not support this functionality.
In Exchange 2010 or Exchange 2013, you can only set User accounts to the Managed By / Ownership field. No longer can you set Security Groups as ownership of another group - a limitation of RBAC. You can however set multiple people to manage/own a distribution group.
There are a couple of other Gotcha's which can generate the "Changes to the distribution list membership cannot be saved" which are documented on Microsoft KB2586832 that can generate this error. If your still having problems I recommend you have a read of the following article:
http://support.microsoft.com/kb/2586832
When migrating to Exchange 2010 or Exchange 2013, when a user attempts change group membership for a group they are the owner of using Outlook 2010 or Outlook 2013, they will receive the following error message.
Changes to the distribution list membership cannot be saved. You do not have sufficient permission to perform this operation on this object.
You can turn this feature back on in Exchange 2010 or Exchange 2013 for all users by simply enabling the MyDistributionGroups setting on the Default Role Assignment Policy.
The Default Role Assignment Policy by default is applied to all mailboxes in an Exchange Organisation unless companies have created custom Role Assignment Policies and linked default or custom Management Roles to the custom Role Assignment Policy. To demonstrate this, I have included a screenshot of my Mailbox below showing the Default Role Assignment Policy linked, this should be the same in most organisations unless you have custom RBAC requirements.
Note: The screenshot below is from Exchange 2013 SP1 but this also applies to Exchange 2010 which you will find by navigating through Exchange Management Console.
Now adding the option "MyDistributionGroups" to the Default Role Assignment Policy will provide all users with this policy linked to perform the following tasks:
- Join existing groups (provided the Group allows it)
- Manage some of the properties of groups they own
- Change membership of groups they own
- Create and Remove Groups
- Add-DistributionGroupMember
- Get-DistributionGroup
- Get-DistributionGroupMember
- Get-Group
- Get-Recipient
- Remove-DistributionGroupMember
- Set-DistributionGroup
- Set-DynamicDistributionGroup
- Set-Group
- Update-DistributionGroupMember
Introducing Manage-GroupManagementRole.ps1
Microsoft heard the pain customers were having with the default option made available in the RBAC Default Role Assignment Policy and as a result created a script called "Manage-GroupManagementRole.ps1" - written by Matthew Byrd from Microsoft. This script is for a default deployment of Exchange 2010 or 2013 where all users have the Default Role Assignment policy and just want to be able to add/remove users from distribution groups through Microsoft Outlook for which they are owners of - just like they did before! A copy of the script can be found here:
http://gallery.technet.microsoft.com/scriptcenter/8c22734a-b237-4bba-ada5-74a49321f159
This script does what I explained above for you automatically including:
- Creates a new Management Role which you can specify with the -name switch otherwise by default it will call it "MyDistributionGroupsManagement"
- Adds Management Role Entry's to the Management Role Group for all the PowerShell Commands listed above. A Management Role Entry is simply a PowerShell cmdlet the Management Role is allowed to execute.
- Assigns the Management Role to a Role Assignment Policy which can be specified with the -policy parameter. If you do not specify a Role Assignment Policy it will use the default one, "Default Role Assignment Policy" which is by default assigned to all mailboxes in an Exchange environment.
.\Manage-GroupManagementRole.ps1 -CreateGroup -RemoveGroup
This will create the management role called "MyDistrubtionGroupsManagement" and assign it to the "Default Role Assignment Policy" to apply to all users in the domain.
After running the script, people will be able to change Group Membership of distribution lists using Microsoft Outlook for only groups for which they are under the "Managed By" / "Ownership" attribute - just like how it was in previous versions of Exchange!
Some Gotcha's
For this functionality the Mail Enabled Group must be set as a Universal Group Scope. Domain Local or Global Groups do not support this functionality.
In Exchange 2010 or Exchange 2013, you can only set User accounts to the Managed By / Ownership field. No longer can you set Security Groups as ownership of another group - a limitation of RBAC. You can however set multiple people to manage/own a distribution group.
There are a couple of other Gotcha's which can generate the "Changes to the distribution list membership cannot be saved" which are documented on Microsoft KB2586832 that can generate this error. If your still having problems I recommend you have a read of the following article:
http://support.microsoft.com/kb/2586832