When I first start using Exchange 2007 I couldn’t understand why in order to give a user the ability to manage a Distribution Group (DG), adding and/or removing users, we needed to add him on the Exchange Console and then on Active Directory (AD) Users and Computers.
Well, that’s not exactly necessary... Here’s the explanation (which I think is somewhat stupid…):
In Exchange 2007, the Managed By property works in a different way than in previous versions of Exchange. According to Microsoft, this property is an informational field that users see in Outlook when viewing the properties of the distribution group. This property does not provide the user who is identified in the Managed By property with the ability to modify the members of that DG in Outlook.
To do that we must explicitly grant the required AD directory service permissions, and we have three options:
1. Using the Add-ADPermission cmdlet that adds permissions to an AD object. For example, to grant me the rights to add members to the Lets Exchange Admins distribution group:
Add-ADPermission -Identity "Lets Exchange Admins" -User "Nuno Mota" -AccessRights WriteProperty -Properties "Member"
2. Using the Set-Group cmdlet that modifies the settings of an existing Microsoft Windows group:
Set-Group -Identity "Lets Exchange Admins" -ManagedBy “Nuno Mota”
3. Using Active Directory Users and Computers itself: right-click on the DG you want to set the manager, click on Properties, go to Managed By, select the desired user and tick the Manager can update membership list box:
Well, that’s not exactly necessary... Here’s the explanation (which I think is somewhat stupid…):
In Exchange 2007, the Managed By property works in a different way than in previous versions of Exchange. According to Microsoft, this property is an informational field that users see in Outlook when viewing the properties of the distribution group. This property does not provide the user who is identified in the Managed By property with the ability to modify the members of that DG in Outlook.
To do that we must explicitly grant the required AD directory service permissions, and we have three options:
1. Using the Add-ADPermission cmdlet that adds permissions to an AD object. For example, to grant me the rights to add members to the Lets Exchange Admins distribution group:
Add-ADPermission -Identity "Lets Exchange Admins" -User "Nuno Mota" -AccessRights WriteProperty -Properties "Member"
- Waning: This option does not show in AD Users and Computers (see screenshot bello) nor to Outlook users that I am the manager for this DG, but I can still add/remove members, so you might want to use this together with the option on Exchange.
- Tip: You can also do this by going to the Security tab on the Properties of the DG and manually assign the Write Members special permission to the user.
- For detailed syntax and information, refer to Add-ADPermission
2. Using the Set-Group cmdlet that modifies the settings of an existing Microsoft Windows group:
Set-Group -Identity "Lets Exchange Admins" -ManagedBy “Nuno Mota”
- For detailed syntax and information, refer to Set-Group
3. Using Active Directory Users and Computers itself: right-click on the DG you want to set the manager, click on Properties, go to Managed By, select the desired user and tick the Manager can update membership list box:
Note: you can only be granted the manager rights on groups in your own domain. This is a limitation because of how Exchange uses the Global Catalogs.
Also, when using steps 2 or 3 you can only assign one manager per DG. If you want to have several managers for the same DG you must use the first option. However, you might also want to set the Exchange Managed By property so that users can see at least one of the managers.
Exchange 2010: in the new version of Exchange, this process stays the same. However, through the Exchange Console you can select several managers but you still have to set the permission on AD and there, only one can manage it. So why can we select several users on the Exchange Console? I still don’t know…
No comments:
Post a Comment