ERROR: The action 'Set-DistributionGroup', 'AcceptMessagesOnlyFromSendersOrMembers', can't be perfor

Steel Contributor

error in setting sending restriction to distribution group


The action 'Set-DistributionGroup', 'AcceptMessagesOnlyFromSendersOrMembers', can't be performed on the object 'ContosoALL' because the object is being synchronized from your on-premises organization. This action should be performed on the object in your on-premises organization.”


we prevoisly have Exchange 2010 onprem and migrated all users to Office 365, have AAD connect.


Any known fix?



12 Replies

Mmm...extrange and interested on learning what is happening here....tagging @Vasil Michev 

The fix is to configure this on-premises, as with pretty much any other scenario involving dirsync. Namely, edit the authorig attribute to include the users you need.


Full list of related attributes can be found for example here:

The golden rule is to always manage objects in the environment they belong to. In this case, the DL belongs to the on-premises organization, so you must manage it there. If it were a cloud object, you could manage it with the Office 365 tools.

hi @Vasil Michev, tried editing authOrig but got error below




please advise

Use PowerShell:


Set-ADObject "DG" -replace @{authorig="DN of the object you want to grant permissions"}

@Vasil Michev Thanks!!

This resolved my issue. Once I added one member using  PowerShell (running as domain administrator) on my domain controller, I was able to edit it using the regular ADSI edit tool.

@Steve_Bauman will this block internal users from emailing the DG?



Yes I believe so. You can test it yourself by creating a test distribution group, setting this property, allowing it to synchronize to Office 365, then sending an email to it.


Unfortunately, deployment of this was halted internally for the company I work for, so I can't tell you for sure.



Can you send a sample of the script? I am not getting what to put in "DG" as it keeps saying cannot find an object with that identity.

@Gregory2190 Yes absolutely, I should have posted this originally, my bad!


You must insert the full Distinguished Name of the Distribution Group in-between the quotes, and insert a users distinguished name that should be allowed to send to the group in the "authorig" quotes. For example:



Set-ADObject "cn=MyDistributionGroup,OU=Groups,DC=local,DC=com" -replace @{authorig="CN=Bauman\, Steve,OU=Users,OU=User Accounts,DC=local,DC=com"}



You can find your distribution groups distinguished name by opening up Active Directory Users & Computers on your AD server, enabling "Advanced Features" (inside of the "View" top header tab), then right-clicking the object, selecting "Properties", clicking the tab "Attribute Editor", and then scrolling to find the 'distinguishedname' attribute.


Let me know if you'd like some screenshots!




To elaborate, if you're getting the error "Cannot find an object with identity", then the Distinguished Name was not typed in properly and the query was not able to locate the object in your Active Directory. Be sure to escape commas inside of each Distinguished Name component (as shown in the example above) if your object has commas in its Common Name.


The Active Directory Users & Computers Attribute Editor tab will not allow you to edit the "authorig" attribute if there are no entries inside of it (I have no idea why honestly). But once you add at least one Distinguished Name inside of it, you can use the Attribute Editor.


Good day,
I have the same error message. I need to give the rights to an email address and I get this error message. So I did go on our domain controller. Usually, I just need to go in the attribute editor, I find the value and I modify it and it is done. The problem is that I cannot find that value at all in the attribute editor. Usually I find everything there.

Do you know why I cannot find that value while usually I find all the others I need?