Assign Group Permission to Distribution Group

Similar Messages

• Group ownership of Distribution Group not working

  Hi,
  We recently migrated from Exchange 2007 to 2013 CU2. We have various security groups with permissions to edit various distribution lists; this is no longer working. I've already researched the problem and I understand two things are necessary for a
  user to have permission to edit a distribution list:
  1. User must have membership in the My Distribution Groups and My Distro Groups Membership roles. Already done.
  2. User must be an owner of the distribution group.  
  The problem comes with the ownership. I'm assigning ownership of the distribution list to a security group, of which my test user is a member. Per
  this article, groups can own groups again as of 2013 CU1.
  If I directly assign a user ownership of the group, they can edit membership without issue, which means item #1 is satisfied. But they are not receiving ownership by way of membership in the group that owns the distribution list. Or put another way, their
  group membership is not granting them ownership of the group as it should.
  Any thoughts? Spent a good hour searching and can't come up with anything.
  Thanks,
  James

  Hi -
  That is correct, and is a problem with dozens of existing distribution groups.
  For testing purposes I just did the following:
  1. Created a new distribution group "Test Distro Group"
  2. Created a new mail-enabled security group "Test Distro Group Owners"
  3. Ran Set-DistributionGroup -Identity "Test Distro Group" -ManagedBy "Test Distro Group Owners"
  4. Confirmed ownership via the shell:
  Get-DistributionGroup -Identity "Test Distro Group" | fl
  GroupType                                 : Universal
  SamAccountName                       : Test Distro Group
  BypassNestedModerationEnabled  : False
  ManagedBy                                 : {contoso.com/Users/Test Distro Group Owners}
  5. Confirmed ownership via ECP:
  6. Added a test user "_Sample Teacher" to the "Test Distro Group Owners" group. Confirmed membership via ECP:
  7. Logged into OWA as "_Sample Teacher," went to Options, then Groups. "Test Distro Group Owners" is shown as a group that the user belongs to, however no groups are shown under "distribution groups I own."
  8. If I add "_Sample Teacher" directly as an owner of "Test Distro Group," the group appears as expected as an owned group.
  So in short...the user is a member of the security group, the security group owns distribution group; the user should then be an owner of the distro group via membership in the security group, however this is not working.
  Thanks for any help you can provide. I'm not sure where to go next.
  James

• Exchange 2013, a distribution group within a distribution group is not receiving emails.

  Here's the explanation of what's going on:
  "A" is an internal distribution group containing other internal contacts, and internal distribution groups "B" and "C". "B" is a working distribution group that contains all internal contacts. "C" contains all
  external contacts, who will successfully receive emails sent directly to "C". The problem is, when you send an email to "A", everyone in "B" receives the email, but no one in "C" does. "C" is set to receive
  emails from external sources and has correct SMTP settings as far as I can tell.
  Is this problem related to the fact that "C" is full of external contacts? Is there a setting I'm missing somewhere that will allow "C" to receive emails sent to "A"?
  Edit: Group "C" can not receive emails at all.

  Sorry, i meant does the mailbox you are sending the email FROM have permission to send emails TO external email address?
  Our exchange server is set up so that certain people can only email internal addresses. This is configured in the ECP under Mail Flow - Rules, and is basically configured to state that anyone within the AD group "internal only" to reject the message and
  provide the explanation "you are not allowed to email externally".
  If the mailbox you are sending the mail from is not permitted to email external contacts, it wont work.
  It can be tested by emailing one of the addresses in Group C individually.

• Syncing Active Directory Groups for Unity Distribution Groups

  We have multiple remote stores with managers that move around quite a bit. This poses an administration nightmare when trying to keep voicemail distribution lists up to date. Is there a way to syncronize an active directory group to a Unity voicemail distribution group? Therefore when we move a manager around in ADS the user automatically moves in Unity.

  Unfortunately this feature has not been re-implemented in Unity Connection. This is one of the few things from Unity that I miss. I suggest voicing your desire for this as a feature enhancement with your Cisco AM.
  If you are doing that many changes you may want to consider going through the Cisco Unity Connection Provisioning Interface. At least you could script the changes there using code that checked AD group membership and replicated the changes into CUC.

• Managing Distribution Groups with hidden membership (when hideDLMembership is true)

  Hi All,
  I have a
  situation in a Exchange 2010 SP2 messaging environments where we want to manage two distribution groups through Outlook client and want to ensure that its membership is visible to none but the distribution group owners.
  I have followed this article "http://blogs.technet.com/b/kamleshk/archive/2013/08/22/3478284.aspx" but in my case the owner can't see the membership.
  The Outlook client version is 2007.
  I have enabled "MyDistributionGroups" in the default role assignment policy to enable Distribution Group management by end users.
  We use Outlook Anywhere but I have tried to add the registry Key "DS Server" but no way.
  Thank you in advance.
  Simone
  Simone

  Hi Simone,
  How about in OWA?
  If OWA works well, it should be an issue on the Outlook Client side.
  If OWA not works neither, it still the permission issue. It need sometimes to sync the operation.
  Please run following command to verify the owner permission:
  Get-DistributionGroup -Indentity DGName | FL
  Thanks
  Mavis 
  Mavis Huang
  TechNet Community Support

• Regarding Group Permission

  Hi Experts,
  I have a security requirement ie.
  i have two group in rpd , admin and spoc and using session varibale i am finding the group of user login to dashboard.
  i am taking group from access control table in database.
  if a peson belongs to both group then i want to assign the permission of admin group to user.
  presentaly it is assigning least group access to user and i want to assign max access.

  Indeally, it shud be Admin only..
  ==========
  If there are multiple groups acting on a user or group at the same level with conflicting security attributes, the user or group is granted the least restrictive security attribute. Any explicit permissions acting on a user take precedence over any privileges on the same objects granted to that user through groups
  ============
  Hope you are not missing any points

• How to move members of a certain OU from one security group to distribution group?

  Looking for a powershell script that could move members from a certain OU that are members of a certain security group to a distribution group. Anyone point me in the right direction?

  It is easy to determine the members of a group. My concern is that once you know the users, it can be tricky to determine their parent OU in a script. There are ways to parse the user distinguishedName, but some are unreliable (the names of OU's, and even
  DC components, can include commas, for example). The most reliable method would be to bind to the user object with the [ADSI] accelerator and invoke the Parent method, but even then you must parse the result since it will be an ADsPath rather than a DN.
  My approach would be to use Get-ADUser to find all users in a specified OU that are direct members of a specified group. Even here I assume you are only concerned with users (not contacts or groups or computers). I also must assume that no users have the
  group specified as their "primary" group. The code I would suggest to  retrieve all users in an OU that are members of a group:
  Get-ADUser -SearchBase "ou=Sales,ou=West,dc=MyDomain,dc=com" -LDAPFilter "(memberOf=cn=MyGroup,ou=West,dc=MyDomain,dc=com)"
  This does not find users in the OU that are members of the group due to group nesting. However, if that matters, it can be handled using another LDAP syntax filter. In that case use:
  Get-ADUser -SearchBase "ou=Sales,ou=West,dc=MyDomain,dc=com" -LDAPFilter "(memberOf:1.2.840.113556.1.4.1941:=cn=MyGroup,ou=West,dc=MyDomain,dc=com)"
  The "1.2.840.113556.1.4.1941" part is a special chain matching rule that results in a recursive match to handle group nesting. You can also devise a filter to include membership as the "primary" group. You could even use Get-ADObject
  instead  of Get-ADUser if you need to include contacts (or computers or groups), but I assume that is unnecessary.
  The next steps, to remove from one group and add to another, would follow.
  Richard Mueller - MVP Directory Services

• Reg:: People and Groups Permission reports in sharepoint 2013

  Hi Techys,
  We have one SharePoinr 2013 team site, The total number of users for the site is 3200 members. Now my customer requirement is, they requested a report for people and groups and its permissions along with member names by group wise.
  Example: I'm having one SharePoint 2013 team site named as "My Auditions", it contains 28 groups with different permission levels. Each group having minimum 70 users. Now we need a report for each group permission along with group members.
  Kindly help me to getdown from the customer concern.
  Many Thanks,
  Madhu

  I would suggest a tool like Metalogix ControlPoint. It can quickly produce nice looking reports for this type of information.
  Trevor Seward
  Follow or contact me at...
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.
  Hi Trevor,
  I have decided to say very big thank for your great suggestion, I have installed the Control-point trial version in my personal Lab environment. It's working as i'm expected. But, I have to do the same task for my customer. How can i install the control-point
  in prod server without customer permission. even i'm having all uid and password as administrator.
  Could you please suggest me is there any scripting or ootb features.
  Many Thnaks,
  Madhu

• Using Active Directory - either Secure or Distribution Groups

  Reviewing the security documentation for UCM 10g R3, it appears that we should only map to Active Directory Secure Groups and not Distribution Groups, perhaps even if they are marked "secure"? Does anyone know if this is a technical limitation or a best practice? Our organization has processes in place to prevent ad-hoc updates to Distribution lists and I'd like to map UCM using this group type in AD because SQL statements can keep the membership list current in a Distribution Group.

  dll is not a good candidate for the Agent, this has to be an application(exe), and the server onces it identifies the PCs should push this Agent to those PCs and the Application should have the logic to Phone home etc...

• [E2010] [EWS] [C#] [Windows]: How do I assign public folder Permission to a distribution Group

  Hi,
  I have a little C# Form Application which should be create a Public Folder and assign permission for a Distribution Group in Exchange 2010.
  I have found following in the EWS Documentation:
   FolderPermission fp = new FolderPermission();
   fp.UserId.PrimarySmtpAddress = "[email protected]";
  If i try this with a User Email it works as well. But if I try to set a Email address from a Distribution Group it will throw this Error:
  "Invailid UserID"
  Does anybody know, how to set Folder Permissions to a Distribution Group?
  Thanks,
  Julian

  You can't set permission on an Item in a Public folder the only level you can set the permissions at are on the folder. Your probably better of using a Distribution Group which you can create via the Exchange Management Shell
  http://technet.microsoft.com/en-AU/library/aa998856(v=exchg.150).aspx l. You can then set rights on who can use this distribution group and it will also be visible in the GAL
  etc.
  cheers
  Glen

• Cannot assign an email address to SharePoint group (distribution groups)

  Hello,
  I configured incoming email awhile back in our SharePoint 2010 environment and it works great. I can assign an email address to a list and the necessary contact is created in AD in the OU I configured for incoming email and of course the item emailed in
  is added to the list.  However, if I try to assign an email address to a SharePoint group to create a distribution group, the following happens:
  The following error has occurred while attempting to contact the Directory Management Service: The request failed with HTTP status 401: Unauthorized.
  From what I've found on Technet and other resources, if incoming email works as expected, assign an email address to a group should work without issue but this obviously isn't the case.  I've dug around in the 14 hive and pretty much the same exact error
  is found there (with just a little more detail):
  System.Net.WebException: The request failed with HTTP status 401: Unauthorized.
  at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
  at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
  at Microsoft.SharePoint.DirectorySoap.SPDirectoryManagementProxy.CreateDistributionGroup(String Alias, String Name, String Description, String ContactCN, RequestInfo Info, DistributionGroupFlags Flags)
  at Microsoft.SharePoint.SPGroup.CreateDMS(String dlAlias, String friendlyName, String description, String[] members, String requestor, String justification, Int32& jobId)
  Any ideas what this could be?  I'd imagine the timer service account has the appropriate permission on the OU as it can create objects for lists with incoming email enabled without issue.

  For the issue with group members who are not added during the creation process ...
  I followed this Technet article : Configure
  incoming email for a SharePoint 2013 farm
  But in the paragraph "Configure AD DS to be used with Directory Management Service", I added
  delegation of control for the following common tasks :
  Create, delete and manage groups
  Modify the membership of a group
  The distribution group gets created in AD with members in SharePoint 2013 ! It should work with 2010 as well…
  PS : Do not forget to set up these rights, not only for the Central Administration Application pool Identity account, but for all
  your Web Applications!

• Assign Group permission to list item using client object model

  Hi,
     I am trying to add the list item and assign the permission to the list item by using SP 2010 client object model. The problem which i am facing that when i assign the group as a permission to the item, by automatically the limited access permission
  is added to the group. Please find the steps which i have followed,
  Step-1: Break role inheritance.
   foreach (var item in _listItemCollection)
                          if (item["FileLeafRef"].ToString().ToLower() == "xxx")
                              item.BreakRoleInheritance(true, false);
                              _clientContext.Load(item.RoleAssignments);
                              _folderItem = item;
  _clientContext.ExecuteQuery();
  Step 2: Remove all permissions of the list item.
     foreach (var assignment in _folderItem.RoleAssignments)
                      assignment.RoleDefinitionBindings.RemoveAll();
                      assignment.Update();
  _clientContext.ExecuteQuery();
  Step 3:
      Add Group as a permission to the list item.
    var role = _web.RoleDefinitions.GetByType(RoleType.Contributor);
                  var collRdb = new RoleDefinitionBindingCollection(_clientContext) { role };
                  Principal principal = _grp;
                  _folderItem.RoleAssignments.Add(principal, collRdb);
                  _folderItem.Update();
  _clientContext.ExecuteQuery();
      After adding the group successfully to the list item, i checked the group permission and it contains the value as "Contribute,Limited Access" to the site level and "Contribute" to the list item. Please guide me how to avoid to create Contribute,Limited
  Access role.
  Balaji

  Hi Dmitry,
    When I create the group and assign contribute permission, the group has the permission at the site level(to see the permission, click group and click view Group Permission).  I have added the list item and break the role inheritance permission
  and given the unique permission by providing group as a permission to the list item. After providing the permission, the group permission at the site level changed to "Contribute, Limited Access". I dont know how contribute permission changed to contribute,
  limited access.
  I found the workaround to fix this issue. I created the group and create the folder in the shared document library by using client object model. Due to facing some issue by providing the permission using client object model, i have created the event receiver
  to the document library and using server object model, i can able to assign the approprate group permission.
  Balaji

• "Active Directory operation failed on DC " when assigning Send As permissions on a distribution group

  I'm trying to give a mailbox user Send As right for a distribution group. But the cmdlet comes back with this:
  Get-DistributionGroup MyGroup | Add-ADPermission -user albert -ExtendedRights Send-As
  Active Directory operation failed on <DC fqdn>. This error is not retriable. Additional information: Access is denied.
  Active directory response: 00000005: SecErr: DSID-03151E07, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
      + CategoryInfo          : WriteError: (0:Int32) [Add-ADPermission], ADOperationException
      + FullyQualifiedErrorId : FE24751F,Microsoft.Exchange.Management.RecipientTasks.AddADPermission
  What could be the problem, considering the items below :
  - inheritance is not broken to the level of the distribution group object
  - the account used to run the cmdlet is a member of the Organization Management group
  - creating a new distribution group in the same OU and running the command works as expected; checking the permission for this group against MyGroup (using Get-DistributionGroup testgroup | Get-ADPermission | Sort-Object User,AccessRights | ft user,accessrights,extendedrights,properties)
  shows no differences.
  - adding the permission using ADUC results in the user being able to Send As the group, however I'm trying to find out the root cause of the Powershell cmdlet execution problem
  - there is no Deny permission on the group's ACL
  - the group didn't have the "Hide Membership" feature of Exchange 2003 applied, so there shouldn't be any non-canonical ACL issues

  Anyone ever come up with a solution to this?  I get something similar when Activesync tries to create objects on user containers.
  Exchange ActiveSync doesn't have sufficient permissions to create the "CN=Test User,OU=Domain Users,DC=domain,DC=com" container under Active Directory user "Active Directory operation failed on DELL7S09.domain.com. This error is not retriable.
  Additional information: Access is denied.
  Active directory response: 00000005: SecErr: DSID-03151E07, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
  Make sure the user has inherited permission granted to domain\Exchange Servers to allow List, Create child, Delete child of object type "msExchActiveSyncDevices" and doesn't have any deny permissions that block such operations.
  Details:%3
  So...I get this after I introduced a MS Exchange 2010 SP3 RU8 server into my environment.  You can find LOTS of people suggesting the same fix but I've not found anything that deviates from those fixes:  check the "inherit permissions",
  and give full permis to msExchActiveSync devices for the Exchange Servers security group, blah blah.
  I got to this point by following a Migrate to Exch2010 paper by MS.  I have no Win2k servers, my old Exchange server is Win2003r2SP2 with Exch2003SP2 fully patched.  The Exch server is also a DC.  I installed a new 2012r2 server and then patched
  it.  Installed Exch2010SP3Ru8 and all seems well.  
  The old Exch2003 server is still in production.  My iPhone army connects remotely for mail, and all works great.  I created a new Test User in AD, gave it a mailbox on the 2003 server, and waited a bit.  It eventually shows up in the Server
  Manager on the new 2010 Exch Server.  I send it a bunch of emails, connect to it with an outook client on a Win7 machine, all works.  I go to the SM on the 2010 box and migrate the mailbox to the new server.  It works.  I can connect with
  outlook, send receive mail to other users in the org.  I then try to connect with my iPhone and I get the message in Event Viewer over and over.
  Went so far as to Promo the new 2012 server to a DC.  seems to be fine.  Now am wondering if I Demote the old Exch2003 server will it help...or cause a new crop of issues....

• Exchange 2003/2010 Co-Existence - Distribution Group Management

  We're running both exchange 2010 and Exchange 2003.  I have an issue where some distribution groups were upgraded to Exchange 2010 (v14.0.100) and the manager of those lists who are on Exchange 2003 can no longer modify members, they get the error:
  "Changes to the distribution list membership cannot be saved.  You do not have sufficient permission to perform this operation on this object".
  We've already implemented the myDistributionGroupsManagement role with success to allow Exchange 2010 users to manage their own list without allowing them to create new ones.
  http://blogs.technet.com/b/exchange/archive/2009/11/18/3408844.aspx
  Trying to apply the "Default Role Policy Assignement" to the exchange 2003 users returns an error.  Is there any way Exchange 2003 users can manage Exchange 2010 Distribution list they owned without being upgraded to Exchange 2010?  If not, is
  there any way to downgrade distribution group to Exchange 2003 once they've been upgraded?

  Hi,
  From my lab, legacy exchange user can manage the distribution group which has been  upgrade to Exchange 2010.
  Exchange 2010 sp2, Exchange 2003 with sp2.
  I can add/remove member for distribution group from address book via outlook.
  Xiu Zhang
  TechNet Community Support

• Unable to send email as a distribution group address

  Hi
  We have a user who is a member of three distribution groups in exchange server 2010. He is able to send emails changing his “from” address to two of the distribution group addresses but not the other.
  This is the error message received “You can't send a message on behalf of this user unless you have permission to do so. Please make sure you're sending on behalf
  of the correct sender, or request the necessary permission.”
  Can anyone assist
  Thanks
  Esky

  Hi Esky,
  Please make sure it has necessary permission assigned
  Please try deleting addressbook
  Close Outlook and delete the Offline Address book folder(s) under "C:\Users\Username\AppData\Local\Microsoft\Outlook \Offline Address Books\" (Assuming your OS is Windows 7)
  Please check this for details. It is a similar thread http://exchangeserverpro.com/forums/exchange-server-2010/536-exchange-2010-outlook-2007-2010-send-issues.html
  Thanks, MAS
  Please mark as helpful if you find my comment helpful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.