Running Exchange 2010/latest updates on Windows 2008 R2 servers. When I create a new DL that I want someone to manage, they received the following message when trying to add/remove from the DL: "changes to the distribution list membership cannot be saved. you do not have sufficient permission to perform this operation on this object" I have followed everything in "http://msexchangeteam.com/archive/2009/11/18/453251.aspx" with no luck Any suggestions?

Hi, Seems that u have multiple AD Domains, and you dont have a GC in the domain where your DL exists.Can u verify? OR This behavior may occur if the Outlook client is accessing a global catalog in a domain where the distribution groups do not exist If so plz have a look into this: http://support.microsoft.com/?id=318074 This is excerpt from above link: This behavior can occur if you have a user group in one Active Directory domain and a distribution group in another domain. Each domain has its own global catalog. When a user tries to manage DL membership by using Microsoft Outlook Address Book, the user who has the permission to manage the DL receives the "do not have sufficient permissions" error message Also check whether the DL is universal or not. Regards, Laeeq Qazi|Team Lead(Exchange + Sharepoint + BES + DynamicsCRM) www.HostingController.com

The default settings for Role Based Access Control need to be changed to group managers to make changes to distribution groups. Change the ‘My Distribution Groups’ from Not Assigned to Assigned. Tim Harrington - Catapult Systems - http://HowDoUC.blogspot.com

Tim, barden my ignorance, but how would I accomplish this?

I have found where to change that. My next question would be: Since it implies that if I check the "My Distribution Groups" that it will allow them to create and manage their own groups, does this mean that they can create their own groups that will show up in the GAL?

You are correct, it does imply that. Read this article on how to lock down the user's ability to create new groups. http://sysadmin-talk.org/2010/06/omg-allowing-end-users-to-manage-distribution-group-membership-in-exchange-2010-2/ Tim Harrington - Catapult Systems - http://HowDoUC.blogspot.com

Thank you for your best sharing! Very helpfully. You could use the below command to grant user permissions to manage distribution group: Set-distributionGroup "groupName" -ManagedBy user@domain.com You also could open up the group, and go to "manage by" select the user who shall be able to add or remove the members in ADUC, and check the box "Manager can update the membership list http://technet.microsoft.com/en-us/library/bb125178.aspx Thanks Your expertise never fails to impress!

Piggybacking off of the discussion above, with our deployment of Exchange 2007, we created a set of web-based tools that allowed people to create Exchange Resources including distribution lists. To allow multiple people to manage the lists for a given department, we programmatically created a group, which is populated with one or more users from the "resource department". We then set the following AD permissions to allow members of the group to manage membership of departmental distribution lists: Add-ADPermission -User DepartmentalGroup -AccessRights ReadProperty, WriteProperty -Properties 'Member' -DomainController dc.contoso.com Fast forward to Exchange 2010 and the landscape has changed with Exchange 2010's implementation of Role Based Access Control and I'm struggling to come up with a way to programmatically allow a group of users to manage distribution list membership for a subset of distribution lists - note that we have approximately 75 departments, with each having its own set of coordinators who should be able to manage distribution lists for their department but not lists created by other departments. The specific error we receive in Outlook when attempting to modify group membership is the same as the title of this thread - "Changes to the distribution list membership cannot be saved. You do not have sufficient permission to perform this operation on this object". I implemented the settings referred to at http://sysadmin-talk.org/2010/06/omg-allowing-end-users-to-manage-distribution-group-membership-in-exchange-2010-2/ which details the process of creating a new management role and revoking the role's ability to create new distribution lists and remove distribution lists (which we want because we want those actions to be performed using our web tools). All that to say that the ultimate problem we have is that the above relies on the "ManagedBy" field of a distribution list (viewable by Get-DistributionList Listname | fl *ManagedBy*) to determine group ownership. When "ManagedBy" is set to a user, the user CAN edit a distribution list's membership from Outlook and OWA. When "ManagedBy" is set to a group, members of the group are UNABLE to edit the membership of the distribution list via Outlook or Outlook Web Access/ECP. Furthermore, Set-DistributionGroup does not allow you to specify a list of users to assign to the ManagedBy field. However, if "ManagedBy" was set to a specific user and that user logs in to the Exchange Control Panel and adds additional "owners" of the distribution list, which I can then see from EMS - both the original owner and any additional owners added can in turn modify group membership for the list using Outlook or Outlook Web Access/ECP. My questions: 1) Is it "expected" behavior that while I can assign a group to the "ManagedBy" property of distribution list, members of that group are still unable to edit the group membership? ...or is there a fix for the behavior I'm seeing? 2) Can multiple values be assigned to the "ManagedBy" property when using Set-DistributionList - ex: Set-DistributionList DLName -ManagedBy:user1,user2 3) Any other suggestions? Thanks, -Lance

My questions: 1) Is it "expected" behavior that while I can assign a group to the "ManagedBy" property of distribution list, members of that group are still unable to edit the group membership? ...or is there a fix for the behavior I'm seeing? 2) Can multiple values be assigned to the "ManagedBy" property when using Set-DistributionList - ex: Set-DistributionList DLName -ManagedBy:user1,user2 3) Any other suggestions? Thanks, -Lance 1- Yes it is expected behavior. IF you goto EMC to add a user to managed-by property of a list, then EMC will only show you mailbox users to be added to managed-by property of the list. EMC wont show you D-lists to be added to managed-by property of a D-list. I have read somewhere that this behavior is to ensure that a loop is not created, where someone mistakenly adds the DL to managed-by property of itself. 2- Yes multiple users can be added using PS command like this. Set-DistributionList DLName -ManagedBy user1@domain.com,user2@domain.com 3- My suggestion is to automate this process using Powershell scripting if you have large number of users to be added to managed-by property of DLs. You can somehow put user names in a csv file and then read that file to add them to managed-by of DL. If this is the way you want to go, then open another thread in this forum, so that more people can participate in that thread reading the Title of the thread. Regards,Laeeq Qazi|Team Lead(Exchange + Sharepoint + BES + DynamicsCRM) www.HostingController.com

Hello All, I have done all thats listed in the blog, but can see different behavior. From OWA using ECP I can remove and add users but using outlook i can't can someone help or explain ?

We have same problem. Have you found solution?

Im having the same problem. I can edit via EMC but not Outlook. Any thoughts?

Same problem here. I've been looking for answers but haven't found any. Editing Distribution Groups in OWA works great but in Outlook 2007 it doesn't work at all. Any solution?

Have the same problem here. Any updates or solution?

If you have performed the instructions as per the article above, you must then convert all the groups to Universal.

it works. thanks ryan.

I have the same problem and Ryan's advice did not help. Any progress on this issue?

Might also want to check if your outlook client(s) use the ClosestGC registry key. This would bypass the RBAC permissions of Exchange 2010 and use the ad permissions on the object instead since the client would be connected directly to a domain controller instead of the CAS. I believe that using the ClosestGC key for outlook is not officially supported for Exchange 2010.

i know this is an old thread but i managed to solve this by opening up Exchange 2010 management console clicking on the Toolbox. Double clicking on the Role Based Access Control (RBAC) User Editor. This then opened up internet explorer i logged into this as administrator and created a new Role Group called it ManageDistributionLists Assigned the Role "Distribution Groups". This then created a group in AD and i made the people who i wanted to manage Distribution lists a member of this group, Done the normal Managed By on the AD object and all worked fine. D