Hi everyone, Is there a way of giving Write access (modify the group) to an Exchange 2010 DistributionGroup using the managedBy attribute? I know that giving Write access to a mailbox is possible using the Set-DistributionGroup in the following manner. This basically gives "JohnSmith" Write access to "test-dl". Set-DistributionGroup -identity test-dl -ManagedBy JohnSmith –BypassSecurityGroupManagerCheck -ForceUpgrade However, giving Write access to another DistributionGroup fails: Set-DistributionGroup -identity test1-dl -ManagedBy test2-dl -BypassSecurityGroupManagerCheck This used to be possible with Exchange 2007 DistributionGroups. In Exchange 2007, the WriteProperty field was used to give Write access to DistributionGroups. Is there another way of giving Write access to DistributionGroups? It is rather puzzling there is not. The only possible alternative for us is to extract the group members of a DistributionGroup and then add them one by one to the managedBy field.This is rather tedious to say the least! Any input would be very useful. Thanks!

Is "test2-dl" a security group? The "write member" is an AD permission, not an "Exchange" permission, so the permission would have to be given to an object that was a security principal.--- Rich Matheisen MCSE+I, Exchange MVP

Yes both "test1-dl" and "test2-dl" are Universal, Security groups. I ran the command below but it didn't work. Add-ADPermission -Identity ict-sanjaytest1-dl -User ict-sanjaytest2-dl -AccessRights WriteProperty -Properties "Member" Exchange 2010 has totally updated their permissions model so "write member" is no more an AD permission as described in this article http://blogs.technet.com/b/exchange/archive/2009/11/16/3408825.aspx http://blogs.technet.com/b/exchange/archive/2009/11/18/3408844.aspx does appear to offer a solution but the link to the script (under the heading So How Do I Fix It) is no longer there. Does anyone know the link to this script or perhaps the script itself?

What erorr did you get when you originally ran the cmdlet was it below? If so fix is in RU3. "You do not have sufficient permissions. This operation can only be performed by a manager of the group." error message when you try to change the "ManagedBy" attribute in an Exchange Server 2010 SP1 environment http://support.microsoft.com/kb/2487852James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

A group is still a group, and the AD permission is still needed on the group before you can modify its membership. Not all groups are mail-enabled so how would you give someone permission to modify a group's membership without the AD??? RBAC may be doing some magic, but it's probably doing it with delegated permission. E2K10 SP1 RU3 may be what you're missing, though. The new EHLO blog is still having some problems with links to downloads.--- Rich Matheisen MCSE+I, Exchange MVP

The groups in question are all mail-enabled i.e. distribution lists. So these groups come under the Exchange (I assume anyway). Modifying group membership of these mail-enabled groups is done via the managedBy attribute. This works if I add individual mailboxes to the managedBy attribute as shown below. So I can successfully edit the managedBy attribute. Set-DistributionGroup -identity test-dl -ManagedBy JohnSmith –BypassSecurityGroupManagerCheck -ForceUpgrade However, in many cases, we would like for DistributionGroups (the members in the DistributionGroup) to be able modify group membership. For example in the case below, I would like for members in the "test2-dl" to modify the membership of "test1-dl". However, this results in the exception shown below. [PS] C:\Windows\system32>Set-DistributionGroup -identity test1-dl -ManagedBy test2-dl -BypassSecurityGroupManagerCheck -ForceUpgrade The group "XXXX/Groups/Distribution/test1-dl" can't be managed by recipient "XXX/Groups/Distribution/test2-dl". The owner of the group should have the following recipient type details: UserMailbox,LegacyMailbox,SharedMailbox,MailUser,LinkedMailbox,RemoteUserMailbox,RemoteSharedMailbox,MailContact,User + CategoryInfo : NotSpecified: (XXX...-test1-dl:ADObjectId) [Set-DistributionGroup], Re cipientTaskException + FullyQualifiedErrorId : 8696BF1B,Microsoft.Exchange.Management.RecipientTasks.SetDistributionGroup The exception pretty much indicates only mailboxes are allowed to modify group memberships. Surely this can't be right? I was able to modify Exchange 2007 distribution lists by working on the Write propery in AD. This is no longer the case either for mailboxes or DistributionGroups. This property is now taken over by the managedBy attribute. So my question really is if there's any way for DistributionGroups (and the members in the DistributionGroup) to modify memberships of another DistributionGroup? Thanks again.