Last week, we upgraded from 2010 RTM RU5 to 2010 SP1 RU3. Our environment has a user forest and resource forest with a full 2 way trust. We were able to grant full access permissions to certain mailboxes by creating a domain local group in the resource forest, adding the ID's from the user forest to the DL group, and selecting that group in the Manage Full Access Permissions wizard in the EMC. Since the upgrade, when you pull up the search screen in the Full Access Permissions Wizard, only users show up, and not groups. I can add the permissions find through the management shell. Interestingly, if you go to the Send-As permissions wizard, the groups show up fine and I can select/add them from there. There were no such issues prior to the upgrade from the RTM code. Has anyone else seen this issue? Thanks, Craige Lukowicz

Has anyone been able to duplicate this issue? Thanks, Craige

Hi Craige, I test it in my lab(non resource forest), and the same result as yours. You can add the Domain local group to the Manage Full access permissions wizard in Exchange 2010 RTM. You cannot do it in Exchange 2010 SP1. But suggest you convert customized non-universal groups to universal ones in Exchange 2010 organization.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Has that functionality been intentionally taken out of the SP1 code, or is Microsoft considering this to be a bug? The only way we have been able to successfully grant full access or send as permissions to users is with the domain local groups, because they are using their AD accounts in the user forest to authenticate to Exchange. About 98% of our users have linked mailboxes. Doesn't make sense to me that you can add the DL groups in the Send As wizard, but not in the Full Access Permissions wizard....You'd think if this was a feature the developers were taking away from the GUI, they would do it across the board and not leave the functionality there in one of the wizards.

Can anyone at Microsoft confirm if this is a bug or if it was intentionally left out of the SP1 code? Converting the groups as you suggest doesn't solve the problem - we need the domain local groups to grant the access to customer service mailboxes for ID's in the user forest because that's where the bulk of the credentials reside. If we can't see the groups as we were previously able to, then the full access permissions wizard is useless. Not everyone performing an admin role here is powershell savvy, so I need to make it as simple as possible for everyone who needs to do this.

Can anyone at Microsoft speak to whether or not this is a bug or intentional? We are still using the shell as a workaround, but would like to know if this will be fixed in a future rollup update.

Hi - several months have passed, and we just updated to Rollup Update 4v2 for Exchange 2010 SP1. The issue still persists. You can select the domain local groups in the Manage Send As wizard, but not in the Manage Full Access wizard. Are there any plans on fixing this issue anytime in the near future? I can run a command from Powershell to add a domain local group for full access, but it is ridiculous that you'd have to do that as a workaround for lost functionality in one wizard, and still retain the ability to choose a group in the send as wizard.

Have found this to be an issue also in a resource forest. How can one not use the native EMC tool to effectively delegate in a RBAC scenario? i.e. grant help desk permission to manage shared mailboxes. It is possible to use PS but the shell is not for everyone and this means moving away from the EMC entirely as one tool can't provide help desk with the functionality they need. Granting access to a shared mailbox should not be a sys admin function. Can nobody at Microsoft confirm what happened here?