Problem modifying group membership in Outlook
Hello,
my customer had just upgraded his Exchange server form the 2003 to 2010 SP1 version. Now, users are complaining, that they are unable to modify the membership of a mail-enabled security universal groups. The Outlook error message is "Changes to the Distribution
List Membership Could Not Be Saved. You do not have sufficient permission to perform this operation on this object"
I have followed the advices described in the article "How to Manage Groups that I already own in Exchange 2010?" from the following URL:
http://blogs.technet.com/b/exchange/archive/2009/11/18/3408844.aspx
Still, the problem persists.
In the meantime, I have discovered the following error message on the Exchange server in the MSExchange Management log, which is generated,
whenever an attempt is made in Outlook to change the goup membership:
----------------------------------
Add-DistributionGroupMember
{Identity=<GUID=1a9ad23e-bbb3-4352-a53b-9c90e2a44294>, Member=vez-slu.justice.cz/VALDI/Pocitace a Uzivatele/Uzivatele/test sicz, Confirm=False}
vez-slu.justice.cz/VALDI/Pocitace a Uzivatele/Uzivatele/test sicz
S-1-5-21-3097051676-1135461252-2644246621-37726
S-1-5-21-3097051676-1135461252-2644246621-37726
Microsoft.PowerShell.HostingTools.RunspaceHost-Unknown
2124
48
00:00:02.2187642
View Entire Forest: 'True', Configuration Domain Controller: 'VALDIDC01.vez-slu.justice.cz', Preferred Global Catalog: 'VALDIDC01.vez-slu.justice.cz', Preferred Domain Controllers: '{ VALDIDC01.vez-slu.justice.cz }'
Microsoft.Exchange.Configuration.Tasks.ManagementObjectNotFoundException: Recipient "vez-slu.justice.cz/VALDI/Hromadna posta/22_VT test sec" couldn't be read from domain controller "VALDIDC01.vez-slu.justice.cz". This may be due to replication
delays. Switching out of Forest mode should allow this operation to complete successfully.
Client
----------------------------------
I tried to run the same Add-DistributionGroupMember command found in the error log in EMS (with the -BypassSecurityGroupManagerCheck switch), and it was completed successfully.
Thanks for any advice,
Martin Strobl
September 9th, 2011 2:33pm
Hi,
This is known issue with Exchnage 2010 server, Please run script given in below article and fix your issue.
How to manage groups with groups in Exchange 2010:
http://blogs.technet.com/b/exchange/archive/2011/05/04/how-to-manage-groups-with-groups-in-exchange-2010.aspx
Mail-enabled non-universal group
A mail-enabled Active Directory global or local group object. Mail-enabled non-universal groups were discontinued in Exchange Server 2007 and can exist only if they were migrated
from Exchange 2003 or earlier versions of Exchange. You can't use Exchange 2010 to create non-universal distribution groups.
Anil MCC 2011,ITIL V3,MCSA 2003,MCTS 2010, My Blog : http://messagingschool.wordpress.com
Free Windows Admin Tool Kit Click here and download it now
September 9th, 2011 4:00pm
Hello, Anil,
I am already aware of the issue you have mentioned. I have already removed the group, which was formerly assigned on the "Managed by" list and picked a few user accounts for managing the membership there. I have also created a brand new universal group and
assigned some users as managers there (the error messages from my first post are related to this new group).
The reason I was running the command with the -BypassSecurityGroupManagerCheck switch is that my own account in customer's domain is not mail-enabled, so I can't add it onto the Managed-by list.
I am now rather concerned about the part of the Exchange error message, which reads "Recipient ... couldn't be read from domain controller ...".
Regards,
Martin Strobl
September 12th, 2011 10:07am
Update - the problem seems to be the proper rights, as when I assign an administrator role to the test user in the RBAC User Editor (and at the same time he must be a manager of the group), he is able to change the membership of the group from his Outlook.
Martin Strobl
Free Windows Admin Tool Kit Click here and download it now
September 21st, 2011 5:03pm
As a workaround, I have created a custom Write Scope and custom Role Group using this scope, with only the Distribution Groups role assigned. When the user is added as member of this Role Group and when he is also member of the "Managed by" list of the distribution
group, he is able to change the membership of the distribution group. This solution seems to be acceptable for my customer.
Martin Strobl
October 12th, 2011 7:22am
As a workaround, I have created a custom Write Scope and custom Role Group using this scope, with only the Distribution Groups role assigned. When the user is added as member of this Role Group and when he is also member of the "Managed by" list of the distribution
group, he is able to change the membership of the distribution group. This solution seems to be acceptable for my customer.
Martin Strobl
Free Windows Admin Tool Kit Click here and download it now
October 12th, 2011 2:21pm