Exchange 2010 - Unable to edit Distribution Lists when Accessing Directory Through CAS Array
We are in the process of migrating from Exchange 2007 to Exchange 2010. We had configured Exchange 2007 such that members of various universal security groups could manage "departmental" distribution lists because because we had set the following AD Permissions: Add-ADPermission -User DepartmentalGroup -AccessRights ReadProperty, WriteProperty -Properties 'Member' -DomainController dc.contoso.com When we moved mailboxes to Exchange 2010, members of the "DepartmentalGroup" started receiving the following error when they attempted to update distribution list membership: "Changes to the distribution list membership cannot be saved. You do not have sufficient permission to perform this operation on this object I had originally thought this was related to RBAC settings in Exchange 2010 (see post at the bottom of http://social.technet.microsoft.com/Forums/en-US/exchangesvradmin/thread/9c5a6f84-dbdb-46e8-8095-75ac51f3075a?prof=required) and it still may be, but I came across another workaround that I wanted to ping this forum about. Namely, if a user configures Outlook to connect to an Exchange 2010 mailbox (cached or not cached), the directory server listed as the source server for the global address list is our CAS array (ex: outlook.contoso.com). When pointing to the CAS array for directory services, a user is not able to edit DL membership. However, if the user applies the reg setting to force Outlook to use a specific Global Catalog (http://support.microsoft.com/?kbid=319206), he is once again able to edit DL memberships. Our environment consists of a single forest with mutliple child domains (30+), with 6 or 7 Global Catalogs spread throughout. Exchange is installed at the root of the forest and editing DL memberhsips only works when the reg setting referenced above points to a GC in the root domain. I had the thought that if I could configure the CAS servers to only use root GCs (there are 2), that might be a "server side" fix for this. Thoughts on that? Is there a way to force a CAS/HT server (we have both roles installed on a single server) to use a specific set of GCs? Other ideas? Thanks.
June 22nd, 2010 6:13pm

have to seen this? http://msexchangeteam.com/archive/2009/11/18/453251.aspx Mike Crowley Check out My Blog!
Free Windows Admin Tool Kit Click here and download it now
July 21st, 2010 6:22pm

Can distribution list membership be assigned to a security group rather than an individual user? The way we implemented, 2 or 3 people within a department can typically update a given DL.
September 3rd, 2010 4:53pm

Can distribution list membership be assigned to a security group rather than an individual user? The way we implemented, 2 or 3 people within a department can typically update a given DL. No. See here: http://technet.microsoft.com/en-us/library/bb125178(EXCHG.140).aspx?v=14.1.218.11&t=exchgf1 Managed By The recipient that is designated as the manager for this distribution group will be visible when users view the properties of this group in Outlook or Outlook Web App. If the delivery reports option on the Advanced tab is set to Send delivery reports to group manager, the manager will also receive delivery reports for the group. Click Add to open the Select Mailbox or Mail-enabled User dialog box. Use this dialog box to select the recipient you want to add as a manager of the distribution group, and then click OK. Mike Crowley Check out My Blog!
Free Windows Admin Tool Kit Click here and download it now
September 3rd, 2010 5:06pm

On Fri, 3 Sep 2010 20:53:17 +0000, LB20 wrote: >Can distribution list membership be assigned to a security group rather than an individual user? The way we implemented, 2 or 3 people within a department can typically update a given DL. Sure. Just give the security group permission to modify the "members" property of the group. You can do that with the ADUC. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP
September 3rd, 2010 11:17pm

Have you found solution for that question? We have same problem.
Free Windows Admin Tool Kit Click here and download it now
September 17th, 2010 1:35pm

Maybe this could help ! http://blogs.technet.com/b/exchange/archive/2009/11/18/3408844.aspx
March 25th, 2011 5:43am

Hi LB20, I assume that you did not see Link provided by Mike below, This is addressing exactly what you are looking for and could be resolve by Manage-GroupManagementRole.ps1 http://msexchangeteam.com/archive/2009/11/18/453251.aspx http://social.technet.microsoft.com/Forums/en/exchange2010/thread/6f7c9b90-ac6e-4d0a-91ba-4ac280efb38d Anil
Free Windows Admin Tool Kit Click here and download it now
March 25th, 2011 12:58pm

Hello all and LB20, I'm experiencing the same problem as LB20 reported when he started this thread. I've run the that powershell script, so customer are able to edit their distribution lists via ECP, but they can NOT edit them using Outlook, which is the preferred way and the way that they have been doing it for years. Screenshot below. The CAS/HUB servers are behind a Cisco ACE context, so I'm wondering if that could be the issue... Anyone dealt with this issue? Any ideas?
August 13th, 2011 3:10pm

Hi All The script works perfectly. It has restricted the user from deleting and creating DL's however the issue is addition and deletion of member doesn't work through outlook 2003 . It works fine through OWA. We found another article which refering to http://wiki.uky.edu/mail/Wiki%20Pages/Unable%20to%20modify%20Distribution%20List.aspx. We tested this and it seems to work fine. However this is not a preferred solution changing the registry values on each desktop. We dont want to point the desktops to specific hostname which can change in the future.
Free Windows Admin Tool Kit Click here and download it now
May 2nd, 2012 9:29am

The source of the issue is due to dsproxy, your Outlook will choose a GC thats not in the same domain as the mailbox user, thus you can't update the membership or set delegates. You can set the GC reg key as mentioned by previous user. Exchange 2003 post SP2 DSProxy Referral Update http://blogs.technet.com/b/exchange/archive/2006/03/17/422350.aspxJames Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
May 2nd, 2012 1:50pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics