I recently had an issue where one of the personnel on the Service Desk Team did not have access to Exchange On-Premises PowerShell but needed to be able to add an owner to a group. They asked for my assistance and when I went into EAC to add the owner, I got the following error message:
So, per the following article:
You don’t have sufficient permissions when remove or change distribution group – Exchange | Microsoft Learn
I went into PowerShell and added the Owner to the Group with the -ManagedBy parameter
1 | Set-DistributionGroup <group> -ManagedBy @{Add="<value1>", "<value2>", …} -BypassSecurityGroupManagerCheck |
Here is the problem, that doesn’t solve the issue for the Service Desk Personnel and I don’t want to get a bunch of tickets that could be handled by them. I am unable to grant permissions to Exchange PowerShell without all these extra Security/Compliance Team approvals and processes. Too much time and it would probably be denied. The Service Desk Personnel do have access to ADUC though with the Advanced Features so I began digging.
I found the managedBy attribute in the AD Attributes for a DL, but I could only add one value to that attribute which is the DN of the first manager of the Group:
I needed to be able to have multiple Owners of the DL added/removed so I found the attribute that does that in the Exchange Server AD Schema. That value is:
msExchCoManagedByLink
Once I opened that value in the list, I saw that I could add multiple DN values to the attribute so that I could have multiple owners:
Once that was completed, I went back to EAC and saw the owners were added to the owners list successfully:
So, this solved the issue and allowed the Service Desk Personnel to manage those groups in Exchange through AD at least to add/remove owners to those groups. There is always more than one way to get the job done and knowing the product schema helps with that! I hope this might help you out in the future! Be sure to look for alternative methods in the context that you have to assist when you can! Look at the references below for more information! Happy admin-ing!
REFERENCES:
You don’t have sufficient permissions when remove or change distribution group – Exchange | Microsoft Learn
Exchange: Distribution Lists with Multiple Managers – Active Directory FAQ
About Lance Lingerfelt
Lance Lingerfelt is an M365 Specialist and Evangelist with over 20 years of experience in the Information Technology field. Having worked in enterprise environments to small businesses, he is able to adapt and provide the best IT Training and Consultation possible. With a focus on AI, the M365 Stack, and Healthcare, he continues to give back to the community with training, public speaking events, and this blog.
