Exchange 2010 - Unable to edit Distribution Lists when Accessing Directory Through CAS Array
We are in the process of migrating from Exchange 2007 to Exchange 2010. We had configured Exchange 2007 such that members of various universal security groups could manage "departmental" distribution lists because because we had set the following AD Permissions: Add-ADPermission -User DepartmentalGroup -AccessRights ReadProperty, WriteProperty -Properties 'Member' -DomainController dc.contoso.com When we moved mailboxes to Exchange 2010, members of the "DepartmentalGroup" started receiving the following error when they attempted to update distribution list membership: "Changes to the distribution list membership cannot be saved. You do not have sufficient permission to perform this operation on this object I had originally thought this was related to RBAC settings in Exchange 2010 (see post at the bottom of http://social.technet.microsoft.com/Forums/en-US/exchangesvradmin/thread/9c5a6f84-dbdb-46e8-8095-75ac51f3075a?prof=required) and it still may be, but I came across another workaround that I wanted to ping this forum about. Namely, if a user configures Outlook to connect to an Exchange 2010 mailbox (cached or not cached), the directory server listed as the source server for the global address list is our CAS array (ex: outlook.contoso.com). When pointing to the CAS array for directory services, a user is not able to edit DL membership. However, if the user applies the reg setting to force Outlook to use a specific Global Catalog (http://support.microsoft.com/?kbid=319206), he is once again able to edit DL memberships. Our environment consists of a single forest with mutliple child domains (30+), with 6 or 7 Global Catalogs spread throughout. Exchange is installed at the root of the forest and editing DL memberhsips only works when the reg setting referenced above points to a GC in the root domain. I had the thought that if I could configure the CAS servers to only use root GCs (there are 2), that might be a "server side" fix for this. Thoughts on that? Is there a way to force a CAS/HT server (we have both roles installed on a single server) to use a specific set of GCs? Other ideas? Thanks.
June 23rd, 2010 1:13am
have to seen this? http://msexchangeteam.com/archive/2009/11/18/453251.aspx Mike Crowley Check out My Blog!
July 22nd, 2010 1:22am
Can distribution list membership be assigned to a security group rather than an individual user? The way we implemented, 2 or 3 people within a department can typically update a given DL.
September 3rd, 2010 11:53pm
Can distribution list membership be assigned to a security group rather than an individual user? The way we implemented, 2 or 3 people within a department can typically update a given DL. No. See here: http://technet.microsoft.com/en-us/library/bb125178(EXCHG.140).aspx?v=184.108.40.206&t=exchgf1 Managed By The recipient that is designated as the manager for this distribution group will be visible when users view the properties of this group in Outlook or Outlook Web App. If the delivery reports option on the Advanced tab is set to Send delivery reports to group manager, the manager will also receive delivery reports for the group. Click Add to open the Select Mailbox or Mail-enabled User dialog box. Use this dialog box to select the recipient you want to add as a manager of the distribution group, and then click OK. Mike Crowley Check out My Blog!
September 4th, 2010 12:06am
On Fri, 3 Sep 2010 20:53:17 +0000, LB20 wrote: >Can distribution list membership be assigned to a security group rather than an individual user? The way we implemented, 2 or 3 people within a department can typically update a given DL. Sure. Just give the security group permission to modify the "members" property of the group. You can do that with the ADUC. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP
September 4th, 2010 6:17am
Have you found solution for that question? We have same problem.
September 17th, 2010 8:35pm
Maybe this could help ! http://blogs.technet.com/b/exchange/archive/2009/11/18/3408844.aspx
March 25th, 2011 12:43pm
Hi LB20, I assume that you did not see Link provided by Mike below, This is addressing exactly what you are looking for and could be resolve by Manage-GroupManagementRole.ps1 http://msexchangeteam.com/archive/2009/11/18/453251.aspx http://social.technet.microsoft.com/Forums/en/exchange2010/thread/6f7c9b90-ac6e-4d0a-91ba-4ac280efb38d Anil
March 25th, 2011 7:58pm
Hello all and LB20, I'm experiencing the same problem as LB20 reported when he started this thread. I've run the that powershell script, so customer are able to edit their distribution lists via ECP, but they can NOT edit them using Outlook, which is the preferred way and the way that they have been doing it for years. Screenshot below. The CAS/HUB servers are behind a Cisco ACE context, so I'm wondering if that could be the issue... Anyone dealt with this issue? Any ideas?
August 13th, 2011 3:19pm