Exchange 2013 - Org Managers can't manage groups, unless they're the "owner"

My domain admin group has full control on the AD object of all my Exchange distribution groups.  In ECP they do not have the ability to edit group membership unless they are the "owner" of that group.  Is there a way to be able to manage group membership without giving ownership of all the groups to all of my domain admins?

I would have thought, that because they have Full control to the AD object, that they would be able to add/remove membership.  Is there something I'm missing here?


  • Edited by JoeFri 18 hours 57 minutes ago
May 6th, 2015 12:57pm

Yea, i have seen this throw some people off latley as everyone starts moving over to 2013 and the web based ECP.

Im pretty sure this is because of the RBAC that Exchange 2013 uses, even though you are domain admin, you still need to modify the RBAC group for this to work, or else you wont be able to edit distribution groups. Take a look at the different RBAC groups in the ECP, you should be able to spot the one you need.

You can use this link to get started, https://technet.microsoft.com/en-us/library/jj657480(v=exchg.150).aspx

Click on "View Role Groups" under the "What do you want to do" section, that will show you how to view the RBAC groups that are available to you.

Free Windows Admin Tool Kit Click here and download it now
May 6th, 2015 1:11pm

Hi,

Users must be assigned permissions to manage Distribution Groups.

Please run these command to check if the other domain admins are in the management role group.

Get-RoleGroupMember "Organization Management"

Get-RoleGroupMember "Recipient Management"

If they are not in these two management role group, please run the following commands to add them.

Add-RoleGroupMember "Organization Management"-member other domain admin

Add-RoleGroupMember "Recipient Management" -member other domain admin

Manage Distribution Groups

https://technet.microsoft.com/en-us/library/bb124513%28v=exchg.150%29.aspx?f=255&MSPPError=-2147217396

I hope you are referring to EAC, not ECP.

Best Regards.

May 7th, 2015 6:41am
my users are in both Org Mgmt and Rec Mgmt now, and still cannot add/remove users to a group unless they are an owner of that group.  Looking at the AD Objects of the group we're testing, The AD objects security tab shows the Org Mgmt group only has read only to the group...  Shouldn't these have been all updated with the correct RBAC group on domain/schema prep prior to 2013 install?
Free Windows Admin Tool Kit Click here and download it now
May 18th, 2015 2:44pm
Can anyone comment on this?
August 18th, 2015 8:26am
Lynn, I was referring to EAC for Exchange 2013... which is accessed with a "https://mailserver/ECP" 
Free Windows Admin Tool Kit Click here and download it now
August 18th, 2015 8:29am
Has permission inheritance been disabled so that the setup permissions at the top of the domain are not cascading to the object?
August 18th, 2015 2:39pm

All the OU's I checked are set to "inherit" 

Unless there's something wrong with the parent permissions.  What type of access is the organizational manager account supposed to have?

Free Windows Admin Tool Kit Click here and download it now
August 18th, 2015 2:56pm

You should see Exchange Trusted Subsystem with permissions to the objects.  That is how Exchange RBAC works.

http://blogs.technet.com/b/rmilne/archive/2014/02/12/exchange-rbac-primer.aspx

This is what I normally do to achieve what you are looking for:

http://blogs.technet.com/b/rmilne/archive/2013/08/09/allow-users-to-manage-distribution-groups-without-creating-new-ones.aspx

August 18th, 2015 6:03pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics