none
Distribution group management in Outlook 2007 with Exchange 2010 RRS feed

  • Question

  • In our test-lab, we have encountered an issue with the distribution groups in Exchange 2010. We have a seperate Active Directory server, connected to an Exchange 2010 RC server with the HUB, CAS and MBX roles.

    We have applied the "Configuring Virtual Organizations and Address List Segregation" guide from technet (http://technet.microsoft.com/en-us/library/bb936719.aspx). Apart from some different cmdlet output, everything seemed to go fine. We have a working multiple ou setup, with segregated address lists.

    The problem is with the distribution groups. We can create new one using either the shell or console. We can add and remove members using Active Directory or the Exchange shell/console. The group is also visible on the user end with Outlook 2007. However, it seems impossible to add/remove members using Outlook. What I have tried:

    - Setting the "Managed By" property to the user doing the edits. This doesn't work, due to the changed meaning of this property.
    - Setting the ReadProperty/WriteProperty on Member using Add-AdPermission. This does not work.
    - As a test, I gave the user Full Control rights on the list. This also does not work.

    What am I forgetting or doing wrong? I assume it is still possible to manage groups from Outlook in Exchange 2010.
    Wednesday, September 30, 2009 9:44 AM

Answers

  • Hi Cyso,

    It's a RBAC issue. You have to do this:

    -Create Universal Security Group for users who are going to manage different groups membership (name can be for example 'DGM')
    -Create: New-ManagementRoleAssignment -Name "My Org Distribution Groups Management" -SecurityGroup DGM -Role "Distribution Groups" -RecipientOrganizationalUnitScope "mydomain.local/Distribution Groups"

    In this example Scope is OU, but you can change it if you like.

    Hope this works!

    -------------------------

    Petri Palmén

    • Proposed as answer by Robbie_Roberts Wednesday, October 21, 2009 3:05 AM
    • Marked as answer by Cyso Thursday, October 22, 2009 10:52 AM
    Thursday, October 15, 2009 6:57 PM

All replies

  • Have you tried this? Works in 2007 without issues, but have to admit that I haven't tried the same in 2010.

    http://www.howexchangeworks.com/2009/09/giving-user-enough-rights-to-manage.html
    Rajith Enchiparambil | http://www.howexchangeworks.com |
    Wednesday, September 30, 2009 10:43 AM
  • Have you tried this? Works in 2007 without issues, but have to admit that I haven't tried the same in 2010.

    http://www.howexchangeworks.com/2009/09/giving-user-enough-rights-to-manage.html
    Rajith Enchiparambil | http://www.howexchangeworks.com |

    Yes, I tried this.
    Wednesday, September 30, 2009 3:29 PM
  • Nobody is able to comment on this?
    Monday, October 5, 2009 12:39 PM
  • In my test environment without address list segregation manager can modify the members through Outlook. Is outlook configured in Cache mode? Can you try configuring outlook profile in online mode?

    Amit Tank | MVP – Exchange Server | MCITP: EMA | MCSA: M | http://ExchangeShare.WordPress.com

    Monday, October 5, 2009 2:31 PM
  • I just tried setting Outlook 2007 to online mode, and running the three test from my start post:

    - Setting the "Managed By" property to the user doing the edits.
    - Setting the ReadProperty/WriteProperty on Member using Add-AdPermission. This does not work.
    - As a test, I gave the user Full Control rights on the list. This also does not work.

    I still can't edit the distribution group from Outlook.

    I would help to know how Exchange determines the required permissions, and what permissions need to be set. This technet document (http://technet.microsoft.com/en-us/library/dd335121%28EXCHG.140%29.aspx) describes the usual procedure, but obviously this isn't enough. It almost seems like something is preventing Exchange from checking the permissions set on the list itself.

    Can someone comment on what might be preventing Exchange from determining the right permissions, and if this is related to the applied segregation?
    Tuesday, October 6, 2009 7:39 AM
  • Anybody?
    Friday, October 9, 2009 8:12 AM
  • One final bump.
    Thursday, October 15, 2009 10:22 AM
  • I'm asking around and have asked a couple of other people to look at this post. I'll get back to you ASAP.
    Andrea
    Thursday, October 15, 2009 5:56 PM
  • Hi Cyso,

    It's a RBAC issue. You have to do this:

    -Create Universal Security Group for users who are going to manage different groups membership (name can be for example 'DGM')
    -Create: New-ManagementRoleAssignment -Name "My Org Distribution Groups Management" -SecurityGroup DGM -Role "Distribution Groups" -RecipientOrganizationalUnitScope "mydomain.local/Distribution Groups"

    In this example Scope is OU, but you can change it if you like.

    Hope this works!

    -------------------------

    Petri Palmén

    • Proposed as answer by Robbie_Roberts Wednesday, October 21, 2009 3:05 AM
    • Marked as answer by Cyso Thursday, October 22, 2009 10:52 AM
    Thursday, October 15, 2009 6:57 PM
  • This solution works, thank you.

    How did you find out about this? Was this documented somewhere or is it experience? Might be useful for similar, future problems.
    Thursday, October 22, 2009 10:52 AM
  • I do have one other question. I have noticed that after applying the RBAC role to a group, and making an user a member of that group, that user can suddenly see all other Mailboxes, Lists, etc in the organization. I had previously limited so that he could only see objects from his own OU, not those outside of it. After removing the user from the RBAC group, the OU limiting rights return, and he can only see objects from his own OU. This only happens in OWA, in Outlook it works fine, and the user is constrained to his own OU.

    Is there a way to limit what groups are visible in OWA (more specifically, Groups->Join in Options) when the RBAC role is applied? I don't want the users that have the role applied to see objects from other OUs.
    Thursday, October 22, 2009 1:38 PM
  • My pleasure!

    Well, I figured out by myself. In my opinion this RBAC security model is one of most important new features in Exchange 2010. And that's something that all Exchange administrators should be aware of.

    ---------------
    Petri Palmen
    Thursday, October 22, 2009 3:00 PM
  • Hi Cyso,

    Did you check that users attributes have right values?

    - msExchQueryBaseDN (This should be DN of your New GAL like "CN=TestOrg,CN=All Global Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=mydomain,DC=local"

    - showInAddressBook (same as above)
    - msExchUseOAB (This should be DN of your New OAB like "CN=TestOrg,CN=Offline Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=mydomain,DC=local"

    Then run:
    - Update-GlobalAddressList TestOrg
    - Update-OfflineAddressBook TestOrg

    Restart MSExchangeFDS service.


    -------------------------
    Petri Palmen
    Thursday, October 22, 2009 3:11 PM
  • Hi Petri,

    Thanks for the reaction. I tried your proposed changes:

    - msExchangeQueryBaseDN - was set to the OU the user was contained in. Changing it to the relevant GAL of the OU did not produce the desired effect, the address book looked fine, but the Join Group list was still the same.
    - showInAddressBook - was already set properly
    - msExchUseOAB - was already set properly

    To clarify a bit:

    This is a screenshot of the address book in OWA. As you can see, there are only 3 distribution groups. This is expected.


    This is what is shown in the Join Group dialog in Options. As you can see, all groups in the organization are show, including those outside of the OU the user is in.




    This happens as soon as I apply the Distribution Groups RBAC role to the user in question.

    The question is how to limit the list shown in the Join Group option dialogue, while still retaining the distribution group management rights. This problem only occurs in OWA, in Outlook everything is working as expected.
    Friday, October 23, 2009 11:35 AM