After migrating from Exchange 2007 to 2010 and addressing all immediate issues, we eventually hit a new issue. Managers of Distribution lists who previously could add and remove members, now couldn’t do it!
Changes to the public group membership cannot be saved. You do not have sufficient permission to perform this operation on this object.
So, why would this break going from Exchange 2007 to 2010, and why would there be a delay?
Role Based Access Control (RBAC) was a new feature introduced in Exchange 2010 which changed the way a lot of security worked. There’s a greatly detailed 4 part article from msExchange.org here http://www.msexchange.org/articles-tutorials/exchange-server-2010/management-administration/exchange-2010-role-based-access-control-part1.html which explains this in detail.
As far as the groups are concerned, they stay in a 2007 mode until they get updated. When updated (by something like adding/removing a member) you’ll get prompted about changing the object:
To save changes on object “Silly name”, the object must be upgraded to the current Exchange version. After the upgrade, this object cannot be managed by an earlier version of hte Exchange Management Tools. Do you want to continue to upgrade and save the object?
Once you do this, that particular object (distribution group) now runs under the new RBAC security settings.
By default, the RBAC security settings out of the box don’t allow anyone to be able to add or remove members to distribution groups. The Exchange Team Blog explains this perfectly here: http://blogs.technet.com/b/exchange/archive/2009/11/18/3408844.aspx and also leads onto a script which will probably set things up how you want. If you don’t read this carefully, you may end up applying the built in ‘MyDistributionGroups’ role to the ‘Default Role Assignment Policy’ which means everyone can create distribution groups – definitely not ideal in most environments. I started reading another blog post which said to do exactly that, but didn’t explain why or how it worked. Sure it fixes your immediate issue, but you’re opening up a lot more than what you should.
So it’s a fairly easy fix once you now how, but if you haven’t had to worry about RBAC before there’s a little bit to get your head around first before ticking boxes and hoping for the best.
A big thanks to @ExchangeGoddess and @24x7ITConnect for their assistance and guidance on this information.
One thought on “End User Management of Distribution Groups in Exchange 2010”