none
Cannot modify 'Managed by' property of distribution group on Exchange 2010 SP1 RRS feed

  • Question

  • Hello

     

    I am a member of 'Organization Management' in our Exchange 2010 SP1 environment (all servers running Exchange 2010 SP1). Trying to modify the 'Managed by' property of any distribution list via the Exchange Management Console fails with the following error:

     

    --------------------------------------------------------
    Microsoft Exchange Error
    --------------------------------------------------------
    The following error(s) occurred while saving changes:

    Set-DistributionGroup Failed
    Error: You don't have sufficient permissions. This operation can only be performed by a manager of the group.

     

    Performing the same change via Set-DistributionGroup GroupName -ManagedBy ManagerName -BypassSecurityGroupManagerCheck in the Exchange Management Shell works fine. It looks like the EMC doesn't add the -BypassSecurityGroupManagerCheck switch parameter to the generated command.

     

    According to http://support.microsoft.com/kb/976591/ this was a known issue and should have been fixed in SP1, however, it appears it's not. How can I fix this and make the EMC generate the proper PowerShell command?

     

    Note: This is not a permissions issue as I am a member of 'Organization Management' and I can execute the command successfully in the shell.

     

    Thanks

    Olli

     

    Wednesday, October 6, 2010 1:50 AM

Answers

  • Hi Olli,

    I also test it in my lab.

    You will only meet the error if you create a Security Group using ADUC, then enable it in EMC.

    And if you create a Distribution Group using ADUC and enable it in EMC, you can modify the "Managed by" successfully.

    And if you just create the DG or SG in EMC directly, you can also modify the "Manage by". You can also find out the admin is already listed in the "Managed By".

    The workaround: You can add the member of "Organization Management" to "Managed By" of SG's property using ADUC.


    Frank Wang
    • Marked as answer by emma.yoyo Wednesday, October 13, 2010 1:22 AM
    Friday, October 8, 2010 9:16 AM

All replies

  • Hi

    If it's a known bug, give a call to PSS and have them verify that it was solved in SP1

    Or else maybe they have some hotfix for it you can get

     

     


    Jonas Andersson MCTS: Microsoft Exchange Server 2007/2010 | MCITP: EMA 2007/2010 | MCSE/MCSA Blog: http://www.testlabs.se/blog
    Wednesday, October 6, 2010 8:55 AM
  • Hi Olli,

    I also test it in my lab.

    You will only meet the error if you create a Security Group using ADUC, then enable it in EMC.

    And if you create a Distribution Group using ADUC and enable it in EMC, you can modify the "Managed by" successfully.

    And if you just create the DG or SG in EMC directly, you can also modify the "Manage by". You can also find out the admin is already listed in the "Managed By".

    The workaround: You can add the member of "Organization Management" to "Managed By" of SG's property using ADUC.


    Frank Wang
    • Marked as answer by emma.yoyo Wednesday, October 13, 2010 1:22 AM
    Friday, October 8, 2010 9:16 AM
  • Hi Frank

     

    Thanks for your reply. We are currently migrating from Exchange 2003 to Exchange 2010. Most of our email-enabled groups are security groups that were created using ADUnC a long time before the migration started. Is there a way to fix them retrospectively so that our admins can use the EMC to modify the 'Managed By' attribute? Or is there a way to make EMC add the -BypassSecurityGroupManagerCheck switch parameter to the Set-DistributionGroup -ManagedBy cmdlet by default?

     

    Regards

    Olli

     

    Thursday, October 21, 2010 1:36 AM
  • Is this going to be fixed? because in exchange 2010 sp1 ro2 it still isn't :(

    Do the groups have to be upgraded to the new exchange 2010 to understand new attributes?

    If I change the group to distribution group (in AD) than i'm able to set the "Managed by" (in EMC), and then I can change it back to securtiy group (in AD). But if the group is a security group I get a access denied when change something in EMC.

    Tuesday, January 4, 2011 11:13 AM
  • Fix is listed in RU3
    Lead Systems Administrator
    • Proposed as answer by bcehr Monday, March 14, 2011 8:30 PM
    Monday, March 14, 2011 8:23 PM
  • At my Exchage 2010 Installation with last RU, this bug is already present
    Tuesday, June 21, 2011 7:31 AM
  • I have a client with RU3-V3 and they are still having this issue.

     

    Friday, June 24, 2011 9:38 PM
  • Latest updates and rollups on Exchange 2010 SP1 as of July 10th, 2011, and I encountered this issue as well.

    I noticed it a week later when trying to change permissions of a migrated 2003 group via the EMC.   I'm not impressed with the amount of work involved in researching and solving all these 'minor issues' and applying workarounds and special procedures.  The GUI interface is why a lot of people pay Microsoft a lot of money for their products, so that we don't have to become programmers and waste our time learning scripting commands.  Sure, it's great for large organization with 1000's of users where you need scripts to make mass-changes to single attributes...but for small businesses with 100 or less employees...it would be nice if the GUI would function correctly.  Cheers.

    Wednesday, July 20, 2011 3:09 PM
  • We have installed Rollup 4 for SP1 and this issue still remains.  Because it existed in rollup 2, we had to create distribution groups in AD, add the users then mail-enable the group.

    Is there any way to get these existing groups working? 

    Thursday, August 18, 2011 4:06 AM
  • You may want to check out Management roles and the related cmdlets like Set-ManagementRoleEntry:

    http://technet.microsoft.com/en-us/library/dd351162.aspx

     

    Here's another way:

    <#
    .Synopsis
    Adds a user to the Managers of a distribution group; this differs from set-distributiongroup's default REPLACE of a manager.

    .Parameter DlToModify
    Name of DL you want to modify.

    .Parameter ManagerToAdd
    Name of manager you want to add.

    #>

    param(
        [parameter(Mandatory=$true,HelpMessage='Name of DL you want to modify:')] [string] $DlToModify,
        [parameter(Mandatory=$true,HelpMessage='Name of manager you want to add:')] [string] $ManagerToAdd

    )# end param

    Set-StrictMode -Version 2.0

    $errorActionPreference = 'stop'

    $currentManagers = $null

    # used to process raw input
    [string] $strWorkerVariable = ''

    # used to hold the names after they have been processed
    [string[]] $strManagerList = @()


    <#
        Much pain and suffering discovered that the ManagedBy attribute is something called
        Microsoft.Exchange.Data.Directory.ADMultiValuedProperty
        http://msdn.microsoft.com/en-us/library/ff339280(v=exchg.140).aspx
       
        You can access the values in it by using an index (e.g. $currentManagers[0])
       
        This outputs something like this:
        contoot.com/Accounts OU/Admins/Bob Smith
       
       
        There's a property called 'count' that lists the number of elements returned.
       
    #>

    try
    {
        $currentManagers = (Get-DistributionGroup -Identity $DlToModify).ManagedBy
    }
    catch
    {
        write-host $error[0]
    }

    # loop through currentManagers and make the ouput useable
    for ($intManagerLooper = 0; $intManagerLooper -lt $currentManagers.Count; $intManagerLooper++)
    {
        # raw data is processed in $strWorkerVariable
        # the nice-looking data is kept in $strManagerList
       
        $strWorkerVariable = [string] $currentManagers[$intManagerLooper]
       
        <#
            $currentManagers[$intManagerLooper] something like this:
            contoot.com/Accounts OU/Admins/Bob Smith
           
            The next line makes it like this:
            Bob Smith
           
        #>
       
        $strWorkerVariable = $strWorkerVariable.Substring($strWorkerVariable.LastIndexOf('/') + 1)
       
        $strManagerList += $strWorkerVariable
       
    }# end for

    $strManagerList += $ManagerToAdd

    Set-DistributionGroup -Identity $DlToModify -ManagedBy $strManagerList -BypassSecurityGroupManagerCheck

     


    -------- Ask why.
    Tuesday, October 18, 2011 7:56 PM