Group Owners Cannot Manage Distribution Groups Once Migrated From Exchange 2003 To 2010…

I came across the error message below while trying to update a distribution group I own. I could modify the membership before moving my mailbox from Exchange 2003 to 2010. Changes to the distribution list membership could not be saved. You do not have sufficient permission to perform this operation on this object. Only thing…

I came across the error message below while trying to update a distribution group I own. I could modify the membership before moving my mailbox from Exchange 2003 to 2010.

Changes to the distribution list membership could not be saved. You do not have sufficient permission to perform this operation on this object.

Outlook group error

Only thing happened was that the mailbox was moved from a 2003 database to 2010, no tweaking of the account in any manner to mess up the permissions. So, why does this happen and how can I fix it? Let me explain based on my lab.

I have a distribution group named “Exchange Team” and Shreya Rajith is the owner. Everything works fine while Shreya’s mailbox is on Exchange 2003.

Exchange Team Owner

Once moved to 2010, she is no longer able to update the group membership from Outlook. The error message mentioned above comes up while modifying the group membership. The behaviour is the same irrespective of whether she used Outlook 2003 or 2010.

Outlook error in 2010

The issue is that when the mailbox is moved to Exchange 2010, the default role assignment policy gets applied to the mailbox.

Shreya mailbox properties

The default policy doesn’t allow users to update groups even if they are the owners. The RBAC doesn’t grant the permissions at all. You can either create a new role assignment policy and apply it to the group owners / all users or modify the existing default assignment policy. You can either use Exchange Shell or ECP to achieve the task. EMC doesn’t expose the assignment policy and hence you cannot use it.

I logged into the ECP with my admin account and changed the default role assignment policy (Roles & Auditing –> User Roles) to include the “MyDistributionGroups”.

Check MyDG in ECP

The distribution group can now be modified (all test users have been removed).

Successful DG edit

This solves the issue, but it will give users permissions to create new distribution groups through ECP. If that is not something you like, you need to edit the policy using Shell with custom roles/groups.

8 Comments

  1. Do i need to covert the groups created in Exchange 2003 first to Universal. I was able to get this working only after converting one Test group to universal. If i do the steps you mentioned without conversion to univeral DG it does not work.

    1. Rajith Jose Enchiparambil says:

      Hi Joseph,

      Yes, 2010 only likes universal groups.

  2. Excellent! Worked like a charm.

    Note to other users: If you open the EMC (Exchange Management Console) and go to the “Toolbox”, you will have the option of selecting “Role Based Access Control (RBAC) User Editor” which opens the ECP (Exchange Control Panel) as mentioned above.

    1. Rajith Enchiparambil says:

      Thanks Kimberly

  3. Adil Khan says:

    Gr8 ! its working…. THX Rajith

    1. Rajith Enchiparambil says:

      Thanks Adil.

  4. Harald Helgeland says:

    YES, no it works!

    1. Rajith Enchiparambil says:

      Thanks Harald.

Leave a Reply

Your email address will not be published. Required fields are marked *