Sep 14 2017 08:32 PM - edited Sep 14 2017 08:40 PM
error in setting sending restriction to distribution group
The action 'Set-DistributionGroup', 'AcceptMessagesOnlyFromSendersOrMembers', can't be performed on the object 'ContosoALL' because the object is being synchronized from your on-premises organization. This action should be performed on the object in your on-premises organization.”
we prevoisly have Exchange 2010 onprem and migrated all users to Office 365, have AAD connect.
Any known fix?
Thanks
Sep 14 2017 10:22 PM
Mmm...extrange and interested on learning what is happening here....tagging @Vasil Michev
Sep 15 2017 12:26 AM
The fix is to configure this on-premises, as with pretty much any other scenario involving dirsync. Namely, edit the authorig attribute to include the users you need.
Full list of related attributes can be found for example here: https://support.microsoft.com/en-us/help/2618066/how-to-manage-exchange-dynamic-distribution-group-r...
Sep 15 2017 01:59 AM
The golden rule is to always manage objects in the environment they belong to. In this case, the DL belongs to the on-premises organization, so you must manage it there. If it were a cloud object, you could manage it with the Office 365 tools.
Sep 21 2017 07:24 PM - edited Sep 21 2017 07:25 PM
Sep 23 2017 07:48 AM
Use PowerShell:
Set-ADObject "DG" -replace @{authorig="DN of the object you want to grant permissions"}
Aug 20 2019 09:51 AM
@Vasil Michev Thanks!!
This resolved my issue. Once I added one member using PowerShell (running as domain administrator) on my domain controller, I was able to edit it using the regular ADSI edit tool.
Mar 06 2020 10:34 AM
Yes I believe so. You can test it yourself by creating a test distribution group, setting this property, allowing it to synchronize to Office 365, then sending an email to it.
Unfortunately, deployment of this was halted internally for the company I work for, so I can't tell you for sure.
Mar 12 2020 11:23 AM
Can you send a sample of the script? I am not getting what to put in "DG" as it keeps saying cannot find an object with that identity.
Mar 12 2020 12:13 PM
@Gregory2190 Yes absolutely, I should have posted this originally, my bad!
You must insert the full Distinguished Name of the Distribution Group in-between the quotes, and insert a users distinguished name that should be allowed to send to the group in the "authorig" quotes. For example:
Set-ADObject "cn=MyDistributionGroup,OU=Groups,DC=local,DC=com" -replace @{authorig="CN=Bauman\, Steve,OU=Users,OU=User Accounts,DC=local,DC=com"}
You can find your distribution groups distinguished name by opening up Active Directory Users & Computers on your AD server, enabling "Advanced Features" (inside of the "View" top header tab), then right-clicking the object, selecting "Properties", clicking the tab "Attribute Editor", and then scrolling to find the 'distinguishedname' attribute.
Let me know if you'd like some screenshots!
EDIT
To elaborate, if you're getting the error "Cannot find an object with identity", then the Distinguished Name was not typed in properly and the query was not able to locate the object in your Active Directory. Be sure to escape commas inside of each Distinguished Name component (as shown in the example above) if your object has commas in its Common Name.
The Active Directory Users & Computers Attribute Editor tab will not allow you to edit the "authorig" attribute if there are no entries inside of it (I have no idea why honestly). But once you add at least one Distinguished Name inside of it, you can use the Attribute Editor.
Apr 23 2021 06:14 AM - edited Apr 23 2021 06:15 AM
Good day,
I have the same error message. I need to give the rights to an email address and I get this error message. So I did go on our domain controller. Usually, I just need to go in the attribute editor, I find the value and I modify it and it is done. The problem is that I cannot find that value at all in the attribute editor. Usually I find everything there.
Do you know why I cannot find that value while usually I find all the others I need?
Cheers