Article ID: 2586832 - View products that this article applies to.
After Microsoft Exchange Server 2010 is installed, Microsoft Outlook users may be unable to change the membership of groups for which they are listed as the managers. When they try to do this, they receive the following error message:
Changes to the distribution list membership cannot be saved. You do not have sufficient permission to perform this operation on this object.
Collapse this imageExpand this image
There are multiple causes for this behavior.
Cause 1This behavior is by design in Exchange Server 2010 and Exchange Server 2013. Role Based Access Control (RBAC) and the associated self-service roles that accompany it were introduced in Exchange Server 2010. To prevent customers from unexpectedly causing problems with group management, the group management self-service role is now set to Off by default.
To resolve this issue, see Resolution 1.
Cause 2Distribution groups are configured to be managed by other distribution and security groups. Unfortunately, when Exchange 2010 adopted the RBAC model, you could no longer have a group manage other groups. In Exchange 2010 and Exchange 2013, you must list your group managers and individual users instead of a group.
To resolve this issue, see Resolution 2.
Cause 3When an Outlook client connects to an Exchange 2010 or Exchange 2013 mailbox, the Directory connection is now directed through an Exchange server that has the Client Access Server (CAS) role. The CAS servers intercept the calls for group management and then process them through RBAC. If the RBAC engine determines that the user can manage this group, it lets the call be completed. However, if you have the Closest GC registry value configured on the Outlook client, Outlook continues to connect through the global catalog server instead of going through the Exchange CAS server. The use of the closest global catalog and DS Server registry values is not supported with mailboxes in Exchange 2010 and later versions.
To resolve this issue, see Resolution 3.
Cause 4If the alias of the group that the user is trying to edit contains unauthorized characters, you can't edit it from Outlook, even if the permissions are configured correctly.
To test for this condition, start the Exchange PowerShell, and then run the following command:
get-distributiongroup <group_name>Note The <group_name> placheholder represents the group that the user cannot edit.
If the shell returns an error message that states that the group has failed validation, you must resolve the problem with the group and make sure that it passes validation.
To resolve this issue, see Resolution 4.
Cause 5The group that you are trying to change must be a universal group. The CAS redirect and RBAC engine cannot change local or global groups.
To resolve this issue, see Resolution 5.
Cause 6This error is also triggered if the group that you are trying to edit is not a member of the default global address list.
To resolve this issue, see Resolution 6.
How to manage groups that I already own in Exchange 2010
How to manage groups with groups in Exchange 2010
How to configure Outlook to a specific global catalog server or to the closest global catalog server
Exchange 2007 Scripting Corner: fix-alias
How to convert global groups to universal groups
Managing address lists