Group Owners Can't Edit Members in ECP/OWA

Question

Hello everyone. We have Exchange Server 2019. I want to allow a user to edit the group membership in OWA, but he still has no rights. I created a security group in the Exchange console (as mail-enabled), added the user to the group and made him the owner of the group. I opened the ADUC on the domain controller, opened the group properties and in the ManagedBy tab checked the "Manager can update membership list" checkbox. After that, the user in OWA saw his group of which he is the owner, but he still cannot edit the members! What's wrong? What else should I give the user? Thanks.

Answer 1

Hi @OZ,

Welcome to the Microsoft Q&A platform!

Based on your description, you have taken most of the correct steps to allow users to manage group membership. However, there may be some additional areas to check:

1. Changes in Active Directory (AD) may take some time to synchronize with Exchange. Make sure enough time has passed to propagate the changes.
2. Double-check the settings in OWA to make sure no permissions are overwriting the changes you made. Sometimes, despite having the correct permissions in AD, certain settings restrict users.
3. Verify that the group is set up as a distribution group rather than a security group. Although both can be mail-enabled, there may be subtle differences in how permissions are applied.
4. Make sure the user is assigned the correct role in the Exchange Admin Center. Specific roles must be assigned for managing group membership. You may need to assign the user the Distribution Groups and MyDistributionGroups management roles.
5. You can use the Exchange Management Shell to verify and adjust permissions. Here is the command to add a user to the Group Management role:

Add-RoleGroupMember "Group Management" -Member <UserAlias> 

Replace '<UserAlias>' with the actual alias of the user.

6. Make sure that permission inheritance is turned on for the user in AD. Sometimes permissions don't propagate correctly if inheritance is disabled.
7. Make sure there are no conflicting policies or settings that could be overriding permissions. Group Policy Objects (GPOs) or other security settings in AD can sometimes interfere.

If after verifying these aspects, the user still cannot edit group memberships, check the logs for any specific error messages.

---

Please feel free to contact me for any updates. And if this helps, don't forget to mark it as an answer.

Best,

Jake Zhang

Answer 2

Thank you all very much. This is what solved my problem.

1. In Exchange EMC create Security group as mail-enabled.
2. Add owners to this Group
3. Whait 30 miutes (in 30 minutes this sec mail-enabled group will also appears in ADUC)
4. Create RBAC Role something like "Distribution Group Management" in admin role and assign roles "Distribution Groups", add members who should be able to edit group membership
5. Thats all. P/S There is no need enable checkbox in ADUC in the properties of the Group in the ManagedBy tab mark a"Manager can update membership list".

Answer 3

Hi @OZ,

Great to know that the issue has already been resolved and thanks for sharing the solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others", I'll repost your solution in case you'd like to "Accept" the answer : )     

--------------   

Issue Symptom: 

Group Owners Can't Edit Members in ECP/OWA

 

Resolution: 

1. In Exchange EMC create Security group as mail-enabled.
2. Add owners to this Group
3. Whait 30 miutes (in 30 minutes this sec mail-enabled group will also appears in ADUC)
4. Create RBAC Role something like "Distribution Group Management" in admin role and assign roles "Distribution Groups", add members who should be able to edit group membership
5. Thats all. P/S There is no need enable checkbox in ADUC in the properties of the Group in the ManagedBy tab mark a"Manager can update membership list".