Exchange 2013 - How is everyone managing group memberships in ECP?

My domain admin group has full control on the AD object of all my Exchange distribution groups.  In ECP they do not have the ability to edit group membership unless they are the "owner" of that group.  Is there a way to be able to manage group membership without giving ownership of all the groups to all of my domain admins?

I would have thought, that because they have Full control to the AD object, that they would be able to add/remove membership.  Is there something I'm missing here?

May 6th, 2015 8:59am

Yea, i have seen this throw some people off latley as everyone starts moving over to 2013 and the web based ECP.

Im pretty sure this is because of the RBAC that Exchange 2013 uses, even though you are domain admin, you still need to modify the RBAC group for this to work, or else you wont be able to edit distribution groups. Take a look at the different RBAC groups in the ECP, you should be able to spot the one you need.

You can use this link to get started, https://technet.microsoft.com/en-us/library/jj657480(v=exchg.150).aspx

Click on "View Role Groups" under the "What do you want to do" section, that will show you how to view the RBAC groups that are available to you.

Free Windows Admin Tool Kit Click here and download it now
May 6th, 2015 9:13am

Hi,

Users must be assigned permissions to manage Distribution Groups.

Please run these command to check if the other domain admins are in the management role group.

Add-RoleGroupMember "Organization Management"

Add-RoleGroupMember "Recipient Management"

If they are not in these two management role group, please run the following commands to add them.

Add-RoleGroupMember "Organization Management"-member other domain admin

Add-RoleGroupMember "Recipient Management" -member other domain admin

Manage Distribution Groups

https://technet.microsoft.com/en-us/library/bb124513%28v=exchg.150%29.aspx?f=255&MSPPError=-2147217396

I hope you are referring to EAC, not ECP.

Best Regards.

May 7th, 2015 2:43am

Hi,

Users must be assigned permissions to manage Distribution Groups.

Please run these command to check if the other domain admins are in the management role group.

Get-RoleGroupMember "Organization Management"

Get-RoleGroupMember "Recipient Management"

If they are not in these two management role group, please run the following commands to add them.

Add-RoleGroupMember "Organization Management"-member other domain admin

Add-RoleGroupMember "Recipient Management" -member other domain admin

Manage Distribution Groups

https://technet.microsoft.com/en-us/library/bb124513%28v=exchg.150%29.aspx?f=255&MSPPError=-2147217396

I hope you are referring to EAC, not ECP.

Best Regards.

Free Windows Admin Tool Kit Click here and download it now
May 7th, 2015 6:41am

So they are in Organization Management, but I didn't realize they needed to be in both Org and recipient management. 

May 18th, 2015 10:35am
my users are in both Org Mgmt and Rec Mgmt now, and still cannot add/remove users to a group unless they are an owner of that group.  Looking at the AD Objects of the group we're testing, The AD objects security tab shows the Org Mgmt group only has read only to the group...  Shouldn't these have been all updated with the correct RBAC group on domain/schema prep prior to 2013 install?
Free Windows Admin Tool Kit Click here and download it now
May 18th, 2015 10:46am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics