Running Exchange 2010/latest updates on Windows 2008 R2 servers. When I create a new DL that I want someone to manage, they received the following message when trying to add/remove from the DL: "changes to the distribution list membership cannot be saved. you do not have sufficient permission to perform this operation on this object" I have followed everything in "http://msexchangeteam.com/archive/2009/11/18/453251.aspx" with no luck Any suggestions?

Hi, Seems that u have multiple AD Domains, and you dont have a GC in the domain where your DL exists.Can u verify? OR This behavior may occur if the Outlook client is accessing a global catalog in a domain where the distribution groups do not exist If so plz have a look into this: http://support.microsoft.com/?id=318074 This is excerpt from above link: This behavior can occur if you have a user group in one Active Directory domain and a distribution group in another domain. Each domain has its own global catalog. When a user tries to manage DL membership by using Microsoft Outlook Address Book, the user who has the permission to manage the DL receives the "do not have sufficient permissions" error message Also check whether the DL is universal or not. Regards, Laeeq Qazi|Team Lead(Exchange + Sharepoint + BES + DynamicsCRM) www.HostingController.com

The default settings for Role Based Access Control need to be changed to group managers to make changes to distribution groups. Change the ‘My Distribution Groups’ from Not Assigned to Assigned. Tim Harrington - Catapult Systems - http://HowDoUC.blogspot.com

Tim, barden my ignorance, but how would I accomplish this?

I have found where to change that. My next question would be: Since it implies that if I check the "My Distribution Groups" that it will allow them to create and manage their own groups, does this mean that they can create their own groups that will show up in the GAL?

Piggybacking off of the discussion above, with our deployment of Exchange 2007, we created a set of web-based tools that allowed people to create Exchange Resources including distribution lists. To allow multiple people to manage the lists for a given department, we programmatically created a group, which is populated with one or more users from the "resource department". We then set the following AD permissions to allow members of the group to manage membership of departmental distribution lists: Add-ADPermission -User DepartmentalGroup -AccessRights ReadProperty, WriteProperty -Properties 'Member' -DomainController dc.contoso.com Fast forward to Exchange 2010 and the landscape has changed with Exchange 2010's implementation of Role Based Access Control and I'm struggling to come up with a way to programmatically allow a group of users to manage distribution list membership for a subset of distribution lists - note that we have approximately 75 departments, with each having its own set of coordinators who should be able to manage distribution lists for their department but not lists created by other departments. The specific error we receive in Outlook when attempting to modify group membership is the same as the title of this thread - "Changes to the distribution list membership cannot be saved. You do not have sufficient permission to perform this operation on this object". I implemented the settings referred to at http://sysadmin-talk.org/2010/06/omg-allowing-end-users-to-manage-distribution-group-membership-in-exchange-2010-2/ which details the process of creating a new management role and revoking the role's ability to create new distribution lists and remove distribution lists (which we want because we want those actions to be performed using our web tools). All that to say that the ultimate problem we have is that the above relies on the "ManagedBy" field of a distribution list (viewable by Get-DistributionList Listname | fl *ManagedBy*) to determine group ownership. When "ManagedBy" is set to a user, the user CAN edit a distribution list's membership from Outlook and OWA. When "ManagedBy" is set to a group, members of the group are UNABLE to edit the membership of the distribution list via Outlook or Outlook Web Access/ECP. Furthermore, Set-DistributionGroup does not allow you to specify a list of users to assign to the ManagedBy field. However, if "ManagedBy" was set to a specific user and that user logs in to the Exchange Control Panel and adds additional "owners" of the distribution list, which I can then see from EMS - both the original owner and any additional owners added can in turn modify group membership for the list using Outlook or Outlook Web Access/ECP. My questions: 1) Is it "expected" behavior that while I can assign a group to the "ManagedBy" property of distribution list, members of that group are still unable to edit the group membership? ...or is there a fix for the behavior I'm seeing? 2) Can multiple values be assigned to the "ManagedBy" property when using Set-DistributionList - ex: Set-DistributionList DLName -ManagedBy:user1,user2 3) Any other suggestions? Thanks, -Lance

Hello All, I have done all thats listed in the blog, but can see different behavior. From OWA using ECP I can remove and add users but using outlook i can't can someone help or explain ?

We have same problem. Have you found solution?

Im having the same problem. I can edit via EMC but not Outlook. Any thoughts?

Same problem here. I've been looking for answers but haven't found any. Editing Distribution Groups in OWA works great but in Outlook 2007 it doesn't work at all. Any solution?

Have the same problem here. Any updates or solution?

If you have performed the instructions as per the article above, you must then convert all the groups to Universal.

it works. thanks ryan.

I have the same problem and Ryan's advice did not help. Any progress on this issue?

Might also want to check if your outlook client(s) use the ClosestGC registry key. This would bypass the RBAC permissions of Exchange 2010 and use the ad permissions on the object instead since the client would be connected directly to a domain controller instead of the CAS. I believe that using the ClosestGC key for outlook is not officially supported for Exchange 2010.

Thank you dazzzzzzzzzzzzzzzz I followed your simple instructions and now DL managers can edit their groups.

Thanks for the quick solution Dazzzz, that work perfectly.

Had the same problem. Outlook 2010/Exchange 2010. Upgrader the Distribution group to Universal Group. Problem gone.

Thanks dazzz. Worked like a champ

Hi Daaz, It works even for us when the Managed by user i.e. the DL manager belongs to Exchange 2K10, in case if the manager belongs to Ex2k7 this option is not working. Getting the same error "changes to the public group membership cannot be saved. you do not have sufficient permission to perform this operation on this object." Awaiting for your reply.Messaging Administrator, MCSA MESSAGING

Hi Daaz, It works even for us when the Managed by user i.e. the DL manager belongs to Exchange 2K10, in case if the manager belongs to Ex2k7 this option is not working. Getting the same error "changes to the public group membership cannot be saved. you do not have sufficient permission to perform this operation on this object." Awaiting for your reply. Messaging Administrator, MCSA MESSAGING Hello everyone, same problem in here, Exchange 2007 - Outlook 2010. Also happy to get an answer.

Same problem here as well.

In some exchange versions, the check box is NOT on the exchange server console. In 14.01.0218.013 the check box to allow updating is in active directory under managed by, not in the exchange console. Just a FYI, this caused me much confusion, and i got lucky going to update the group to universal (even though it already was) and noticed this.