Wednesday, 10 October 2012

Group Owners Cannot Manage Distribution Groups Once Migrated From Exchange 2003 To 2010…

I came across the error message below while trying to update a distribution group I own. I could modify the membership before moving my mailbox from Exchange 2003 to 2010.
Changes to the distribution list membership could not be saved. You do not have sufficient permission to perform this operation on this object.
Outlook group error
Only thing happened was that the mailbox was moved from a 2003 database to 2010, no tweaking of the account in any manner to mess up the permissions. So, why does this happen and how can I fix it? Let me explain based on my lab.
I have a distribution group named “Exchange Team” and Shreya Rajith is the owner. Everything works fine while Shreya’s mailbox is on Exchange 2003.
Exchange Team Owner
Once moved to 2010, she is no longer able to update the group membership from Outlook. The error message mentioned above comes up while modifying the group membership. The behaviour is the same irrespective of whether she used Outlook 2003 or 2010.
Outlook error in 2010
The issue is that when the mailbox is moved to Exchange 2010, the default role assignment policy gets applied to the mailbox.
Shreya mailbox properties
The default policy doesn’t allow users to update groups even if they are the owners. The RBAC doesn’t grant the permissions at all. You can either create a new role assignment policy and apply it to the group owners / all users or modify the existing default assignment policy. You can either use Exchange Shell or ECP to achieve the task. EMC doesn’t expose the assignment policy and hence you cannot use it.
I logged into the ECP with my admin account and changed the default role assignment policy (Roles & Auditing –> User Roles) to include the “MyDistributionGroups”.
Check MyDG in ECP
The distribution group can now be modified (all test users have been removed).
Successful DG edit
This solves the issue, but it will give users permissions to create new distribution groups through ECP. If that is not something you like, you need to edit the policy using Shell with custom roles/groups.