[Exchange 2013]: Exchange Org admin cannot Manage Mail enabled USG owners / members in (EAC) Exchange admin center

  • Article

Exchange 2013 uses browser based Exchange Admin center for all administrative transitions / operations. I don't want to bore you with lot of details like split permissions, changes in Exchange server 2010 RTM/SP1 / SP3 and how we managed Mail enabled universal Security groups in EMC ...

In Exchange Server 2013 Exchange Org Admin / Recipient Admin cannot modify USG Ownership(Managedby) / Membership of mail enabled Universal security groups that they do not OWN in Exchange admin center (EAC) . following Error is logged If try to modify members or Owners ,

 " You don't have sufficient permissions. This operation can only be performed by a manager of the group."

 

This behavior is by design in Exchange Server 2013 ( EAC), while modifying Security Group Owners/membership that they do not own. Only owners of a security group can add members to the Security Group or remove members from the security group using ECP/EAC.

More Information :

The caveat here is that Org Admin or Recipient admin can only modify USGs owners/member, if Admin account is listed as a group owner ManagedBy attribute. USGs hold security principals that is generally used to protect confidential information and allowing non group owners to modify the 

owners / members is not such a good idea. This behavior can be noticed across both EAC and OWA.

  

The Workaround is to use Exchange Management Shell to update group membership / Ownership of mail enabled  USGs using "BypassSecurityGroupManagerCheck"  switch  That Administrators do not Own.

Examples :

A - To Add / Remove OWNERS of Mail enabled Security Group 

Set-DistributionGroup "USGName" -BypassSecurityGroupManagerCheck -ManagedBy Ower1,Owner2,Owner3

B - To append new owners

Set-DistributionGroup "USGDLNAME" -Bypasssecuritygroupmanagercheck -managedby @{Add="NewOweralias2","NewOwnerAlias3"}

B - To Add Remove Members to an USG

Add-DistributionGroupMember -Identity "USGName" -Member User@domain.com -BypassSecurityGroupManagerCheck
Remove-DistributionGroupMember -Identity "USGName" -Member User@domain.com -BypassSecurityGroupManagerCheck

* NT System account credentials should be submitted to while modifying Membership/Ownership on a mail enabled Security group. 

Manju