Hinweis
Für den Zugriff auf diese Seite ist eine Autorisierung erforderlich. Sie können versuchen, sich anzumelden oder das Verzeichnis zu wechseln.
Für den Zugriff auf diese Seite ist eine Autorisierung erforderlich. Sie können versuchen, das Verzeichnis zu wechseln.
Exchange 2013 uses browser based Exchange Admin center for all administrative transitions / operations. I don't want to bore you with lot of details like split permissions, changes in Exchange server 2010 RTM/SP1 / SP3 and how we managed Mail enabled universal Security groups in EMC ...
In Exchange Server 2013 Exchange Org Admin / Recipient Admin cannot modify USG Ownership(Managedby) / Membership of mail enabled Universal security groups that they do not OWN in Exchange admin center (EAC) . following Error is logged If try to modify members or Owners ,
" You don't have sufficient permissions. This operation can only be performed by a manager of the group."
This behavior is by design in Exchange Server 2013 ( EAC), while modifying Security Group Owners/membership that they do not own. Only owners of a security group can add members to the Security Group or remove members from the security group using ECP/EAC.
More Information :
The caveat here is that Org Admin or Recipient admin can only modify USGs owners/member, if Admin account is listed as a group owner ManagedBy attribute. USGs hold security principals that is generally used to protect confidential information and allowing non group owners to modify the
owners / members is not such a good idea. This behavior can be noticed across both EAC and OWA.
The Workaround is to use Exchange Management Shell to update group membership / Ownership of mail enabled USGs using "BypassSecurityGroupManagerCheck" switch That Administrators do not Own.
Examples :
A - To Add / Remove OWNERS of Mail enabled Security Group
Set-DistributionGroup "USGName" -BypassSecurityGroupManagerCheck -ManagedBy Ower1,Owner2,Owner3
B - To append new owners
Set-DistributionGroup "USGDLNAME" -Bypasssecuritygroupmanagercheck -managedby @{Add="NewOweralias2","NewOwnerAlias3"}
B - To Add Remove Members to an USG
Add-DistributionGroupMember -Identity "USGName" -Member User@domain.com -BypassSecurityGroupManagerCheck
Remove-DistributionGroupMember -Identity "USGName" -Member User@domain.com -BypassSecurityGroupManagerCheck
* NT System account credentials should be submitted to while modifying Membership/Ownership on a mail enabled Security group.
Manju