Hi.

While moving from Exchange 2007 to Exchange 2013 I've found that MS invented new funny quests about managing distribution groups using Outlook Address Book. They decided to add more freedom to users with creating and deleting groups. Then they found it too much and broke all that functional. Now I had to write some scarry PS script to return my users the abbility to manage distribution group membership without create/delete. But in the end I've found that I still can not manage group if it is of security type. Is there some way to return mail enabled security group membership management in Outlook Address book? Or it is gone like ip sorting in DNS/DHCP console, calculator and TS managment that does not break my brain?

Too much pain :) Thx for reading if you coped with it.

Exchange 2013 DO allow end user (if he's the group owner) to manipulate membership of mail enabled security groups from MS Outlook.

Are you referring to the details in this article ? If so, the problem is the following: the default role assignment policy, governing what the individual mailbox user can do, has a rather misleading role included named MyDistributionGroupMembership, which only allows that user the ability to modify his own membership in groups. In order to grant users the ability to modify the groups they own, the simplest way going forward is to add the MyDistributionGroups role to the default role assignment policy, however a not-so-nice side effect is that it will essentially allow end users the ability to create and remove groups. Which is easily overcome by creating a new role based on the latter, and simply removing the 2 problematic cmdlets. Then this gets linked to the default role assignment policy and all is well.

In the article mentioned above, Rhoderick is actually setting up a different role assignment policy in order not to rewrite the original one. However the new policy should be assigned to the respective mailboxes in order to grant the new rights. Just wanted to double check that this isn't an issue to our case.

You mention distribution groups worked, but security ones didn't. Did you test with a brand new mail-enabled security group ? If the test was done with an already existing one, just thinking it might be the case of AD permissions affecting it (although as long as Exchange Trusted Subsystem has permissions against that object, things should be fine).

Hi Li Zhen. Thx for answering.

I have a DG that was changed to security. I've set a manager for it and made some policy changes allowing users to change membership of groups they were set as managers. I see that group manager can not add or remove users from Outlook Address Book until I set this group as "distribution". The changes of group type affect Address Book immediately. Security - no changes. Distribution - ok. Giving that user "full control" does not help either.

Hi Vden,

Hope all of your groups are Universal.

For testing , create a new security group using EAC and then assign permissions,manager and then test if it works.

Check out this article as well

https://social.technet.microsoft.com/Forums/exchange/en-US/b416ce98-9101-4afd-8564-96715f2c2718/manage-mail-enabled-security-group-from-outlo

Hi Albert. I was refferring to this script and many articles tied to it: https://gallery.technet.microsoft.com/office/8c22734a-b237-4bba-ada5-74a49321f159
I tried to do the same with newly created group and found no problems.
Then I went to ECP again and found another group "owner" property there. It seems it does not have anything with security owner or group manager. And ECP allows to change this "owner" to manager only! Enterprise/Org Admin Account is not enought until it is not manager.  God, bless MS!
After trying to change this "owner" I was asked to "upgrade" distribution group to new version... Then everything worked.
Very very funny quest. I think i have to find the way to "upgrade" other groups until I got lynched.
Thx for help :)

• Marked as answer by vden 23 hours 24 minutes ago

Take a look at this blog post. What you're after is simply a Get-DistributionGroup | Set-DistributionGroup. This would convert all groups that aren't still updated. I believe you might need the -Confirm parameter so you don't get prompted for each one.

As for the owner as it's seen in AD versus Exchange - aside from the ManagedBy property which can be accessed via AD, there's also the tricky checkbox "Manager can update membership list". There's an article here describing how it can be automated.

Also - regarding the account actually used when Outlook is used to modify a group's membership. This would be the own's user account, not the Exchange Trusted Subsystem that Exchange uses to run administrative cmdlets. There's a good thread here analyzing this - definitely worth reading.

As I see now, that checkbox do nothing now. Ecp-owners can manage membership even without it. I've already read somewhere about this innovation :)

Hi Li Zhen. Thx for answering.

I have a DG that was changed to security. I've set a manager for it and made some policy changes allowing users to change membership of groups they were set as managers. I see that group manager can not add or remove users from Outlook Address Book until I set this group as "distribution". The changes of group type affect Address Book immediately. Security - no changes. Distribution - ok. Giving that user "full control" does not help either.

In such situation, I would create 2 new groups (1 dist 1 sec) and test the behavior. It will help to narrow down whether the group type is the cause of the problem. Btw, you'll find it's not.