How to manage groups with groups in Exchange 2010

Thanks Tammy, we've had this problem and it's good there's something to help us.

We've got a related problem with group membership.  Before Exchange 2010, you could permission a group so people could add and remove *themselves* using Outlook.  This doesn't seem to work anymore.  You can configure groups to allow this, but users have to add/remove themselves with Exchange Control Panel, it doesn't work using Outlook, they get the same error message as above.  This isn't a great end-user experience.

Has this functionality also been lost in Exchange 2010?  

Wow... this phrase kind of stumps me because you don't provide a technical explanation as to why: "In Exchange 2010, distribution groups can't be managed by groups - only individual users can manage groups.".

It is beyond me why this functionality was lost and that Exchange 2010 makes people either script up and forever maintain processes to simulate group based administration, or loose the functionality altogether.

Don't get me wrong, the script sounds really impressive and we are glad you are providing us with something versus nothing, but loosing the ability to do group based administration w/o a technical explanation is somewhat dumbfounding because this change in support is counter-intuitive.

Great timing ... we really needed this!  If we want to "chase nested groups" I assume it is as simple as changing the line $Userstoset = Get-ADGroupMember $_.($dn_storage) to $Userstoset = Get-ADGroupMember $_.($dn_storage) -recursive ?

Thanks!

How does this effect 2007 groups that have groups that administer permissions?

Is this because in previous Exchange versions, Outlook was getting a referral for NSPI and ended up talking straight to a global catalog for directory purposes and now in Exchange 2010 the referral takes it to the Address Book Service running on the Client Access server? With the CAS being unable to enumerate group memberships for some reason... ?

This was a major pain for us in upgrading to 2010.  So many great things added yet something so fundamental was removed and caused us months and months of pain.  People changed teams/departments or were hired and we had to write a program as part of the process so can automatically manage their teams groups.  Not to mention the semi-open forum based groups that allowed people who belonged to certain teams/departments join and leave groups as they please.  Way to really think that one through guys.  Remove a feature that has been in place for 10 years or more and make companies who used it eat the cost of development.  What exactly did you achieve by removing this anyway?  I was so astonished when I discovered this new functionality last year that I actually opened a case with MS Premier Support services because I knew it had to be a bug.  Microsoft has always evangelized the benefits of leveraging group based management.  What could possibly have made you want to take such huge step backwards?

When Exchange 2010 moved to the new RBAC based model for permissions management, this functionality was lost in translation.  Currently RBAC will only evaluate users who are directly listed as being managers of the Distribution list and will not even look at groups or group membership when determining if you can edit the DL.  

The product group is aware of this limitation and the fact that it is impacting to customers but has determined that it is not feasible to implement this change in Exchange 2010.  They do already have this as an item for consideration against Exchange 15.

It won't be fixed with a Service Pack ? That's mean 2-3 years until the fix ? How bad. We are migrating soon from 2003 to 2010 (15 000 users), this gonna be a show stopper.

We experienced this problem 6 months ago and it had quite an impact. I was surprised it had not been documented by Microsoft. Sorry but this is unacceptable Microsoft. Such a limitation should have been identified in beta testing.

I tried this- but it did not work for me

[PS] C:Windowssystem32>cd c:

[PS] C:>.test.ps1 -DistributionGroup tdl -groupowner tsg

The term '.test.ps1' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the

spelling of the name, or if a path was included, verify that the path is correct and try again.

At line:1 char:11

+ .test.ps1 <<<<  -DistributionGroup tdl -groupowner tsg

   + CategoryInfo          : ObjectNotFound: (.test.ps1:String) [], CommandNotFoundException

   + FullyQualifiedErrorId : CommandNotFoundException

Any thoughts?

Thank you for your response Tammy, but I'm at a complete loss as to why it's not feasible to work this into Exchange 2010 via service pack?  I wrote a Windows service in C# to handle synchronization of DL managers based on AD group membership in under a month.  All while performing other project related tasks.  You are Microsoft.  You wrote Exchange.  You wrote AD.  You already wrote this functionality before. You have and are the technology.  The functions required all lie within the platform SDK and/or .Net framework to be easily leveraged by even the greenest of programmers.  Almost all other AD integrated Microsoft programs are completely capable of handling group membership based authorization, nesting and all.  Group based based management is a core concept of delegation, reduced administration overhead, and support costs.  What can we do as faithful Microsoft customers to get this functionality bumped up and added to Exchange 2010?  We're just asking for a bit of your time to make Exchange Administrators around the world breathe a little easier.

This "problem" was introduced as part of changes made to the RBAC model in Exchange 2010 SP1.  The actual problem is fairly well known, even though Microsoft doesn't like to talk about it.  It is the result of a philsophical shift in the approach to security with regards to "split permissions" between Active Directory and Exchange administrators.  This problem centers around mail-enabled security groups almost exclusively.  There are various workarounds that can be used to adequately manage pure distribution groups, but once you make that group a security principal, RBAC takes over and whacks you on the head.

Microsoft fixed this partially in Update Rollup 3 when they added the -BypassSecurityGroupManagerCheck flag back to the Powershell command that gets executed when you attempt to update security group memberships from within the Exchange 2010 admin console.  The problem is that they DID NOT add this flag to the behind-the-scenes scripting that occurs when you do the exact same thing from OWA (or Outlook, which is probably impossible with the new model).  The fix for this is pretty darn simple.  Just add the -BypassSecurityGroupManagerCheck flag to the scripting that occurs behind the scenes when a properly configured RBAC user is trying to manage a mail-enabled security group.  You did it for the EMC, now do it for the ECP in OWA.  Please.  No waiting for Exchange 2020 or service pack 300.  You could fix this in an update rollup tomorrow.

BTW, I should add that I wrote a custom Powershell script to run as a scheduled task that does something very similar to what the script mentioned above does.  Even though it works, it's a very ugly approach to fixing this problem, and God help me when I have to undo this all someday.  It's insane to have to make multitudes of people direct "owners" of a security group just to be able to manage the membership list.  What's worse, you can't even make someone an owner using the ECP unless you're already an owner yourself, so delegating this out to other admins is a challenge unto itself.  This is, by far, my biggest gripe about Exchange 2010.  In order to address the relatively few cases where the Active Directory administrator is a separate function from the Exchange administrator, you turned a decade-old management system on its ears.  This was a very poorly thought out decision.  Just admit it and fix it, and we'll forgive you for it.

It's quite obvious that this new breed of developers have zero appreciation for what we AD and Exchange techies regard as normal and SOP. We all know that best practise is to use security groups for things like this but in the face of all this we are forced to specify users directly???

I suppose it's OK. I mean, I dose up on Cola and tell my kids off for doing the same!

If you have multiple DGs with some commonality in naming convention, that needs to be managed by a single SG, instead of doing this one by one, you can use the script below( note the wild card and path to the original script):

$DLs = Get-DistributionGroup <DG.*>

$DLs | %{

 c:scriptsSet-DistributionGroupOwners.ps1 -DistributionGroup $_.Name -GroupOwner SG

}

Thanks to Mike Pfeiffer for the script and Bhargav Shukla for the idea :)