none
Distribution group permissions? RRS feed

  • Question

  • We have IT administrators who are members of the receipient management role in Exchange 2010 and they are also Domain Admins. These folks can create users, distribution groups, etc. but when they try to add members to mail enabled security groups using the EMC, they get an error "A parameter cannot be found that matches parameter name 'BypassSecurityGroupManagerCheck'

    They do not get this error if I add them to the "Organization Management" role but that is a lot of authority to give folks who simply manage mailboxes for the company.

    Have I found a bug in the EMC? If I issue the underlying command using Powershell and leave off the parameter 'BypassSecurityGroupManagerCheck', then they are able to add the users to the group without any problem. This is a fine workaround but these folks are not at the knowledge level where they can use Powershell on a daily basis so I would rather they use the EMC.

    Thursday, January 7, 2010 2:59 AM

Answers

  • Hi,

    It has been found as a known issue, it will be fixed in R5 for Exchange 2010.

    So far, we found that user with Recipient Management Role rights has to be assigned with the “Security Group Creation and Membership” role by using the below command to avoid the error.

    New-ManagementRoleAssignment -role "Security Group Creation and Membership" -securitygroup “recipient management”

    Regards,
    Xiu
    • Marked as answer by jerrycole Saturday, January 9, 2010 12:20 PM
    Friday, January 8, 2010 7:58 AM

All replies

  • hi,

    remove them from the Domain Admins group and use RBAC (Role Based Access Control) to assign credentials to them. Exchange 2010 uses the Role Based Access Control (RBAC) permissions model on the Mailbox, Hub Transport, Unified Messaging, and Client Access server roles. With RBAC, you can control what resources administrators can configure and what features users can access. The RBAC model in Exchange 2010 is flexible and provides you with several ways to customize the default permissions. Using a combination of management role groups, management role assignment policies, and management scopes, you can grant permissions to administrators and end users to closely match your organization's business needs. 

    RBAC Built-in Groups are ;

    • Organization Management
    • View-Only Organization Management
    • Recipient Management
    • UM Management
    • Help Desk
    • Hygiene Management
    • Records Management
    • Discovery Management
    • Public Folder Management
    • Server Management
    • Delegated Setup

    and when you assign them to Recipient Management, they will only have access to recipient configuration.

    look at here ;

    http://technet.microsoft.com/en-us/library/dd298183.aspx

    And Microsoft Learning ;

    https://www.microsoftelearning.com/eLearning/courseDetail.aspx?courseId=136617

    regards,


    Mumin CICEK | Exchange - MVP | www.cozumpark.com | www.mumincicek.com
    Thursday, January 7, 2010 4:33 AM
  • As members of domain admins, they'll have no security inheritence in AD. I would first try removing one from Domain Admins, fix their inheritence (don't bother while they are a DA), let replication complete in the forest, and try again. A recipient admin should be able to manage groups.
    Brian Day, Overall Exchange & AD Geek
    MCSA 2000/2003, CCNA
    MCTS: Microsoft Exchange Server 2010 Configuration
    LMNOP
    Thursday, January 7, 2010 4:47 AM
  • Hi,

    It has been found as a known issue, it will be fixed in R5 for Exchange 2010.

    So far, we found that user with Recipient Management Role rights has to be assigned with the “Security Group Creation and Membership” role by using the below command to avoid the error.

    New-ManagementRoleAssignment -role "Security Group Creation and Membership" -securitygroup “recipient management”

    Regards,
    Xiu
    • Marked as answer by jerrycole Saturday, January 9, 2010 12:20 PM
    Friday, January 8, 2010 7:58 AM
  • Hello,

    Do you know when R5 will be available?

    Thank you.

    Monday, July 12, 2010 10:22 PM
  • Per this link (below), it's fixed in SP1:

    http://kbalertz.com/976591/Recipient-Management-cannot-manage-distribution-groups-Exchange-Management-Console.aspx?fbc_channel=1

    This KB (976591) has since been removed from the support site though.  so I'm not sure...



    Mike Crowley
    Check out My Blog!

    Thursday, September 16, 2010 10:54 PM
    Moderator
  • This KB (976591) has since been removed from the support site though.  so I'm not sure...



    Looks like the KB is there now / restored:

    http://support.microsoft.com/kb/976591

    There is text at the bottom that says:

    "Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section. This issue will be first fixed in Exchange Server 2010 Service Pack 1."



    Mike Crowley
    Check out My Blog!

    Monday, November 1, 2010 10:42 PM
    Moderator
  • I have an Exchange "Recipient Management" security group member who is getting the same

    "A parameter cannot be found that matches parameter name 'BypassSecurityGroupManagerCheck'"

    error when trying to remove the "Require that all senders are authenticated" requirement.

    We are on Exchange 2010 SP3 Ru10.


    Jason Meyer

    Thursday, December 3, 2015 10:56 PM