Get a “You don’t have sufficient permissions. This operation can only be performed by a manager of this group.” in Exchange 2010.

Role Based Administration

 

In our environment, like most bigger organizations, we have separate teams for helpdesk, and separate teams for engineering.  Helpdesk should have rights to perform actions on certain items, such as users and distribution groups, but not on the server level.  We utilize Role Based Administration in Exchange 2010 to give our helpdesk team the ability to manage end users, but not the servers.  I recently received a ticket regarding the helpdesk guys not being able to add certain users to a distribution list, they would receive the error “You don’t have sufficient permissions. This operation can only be performed by a manager of this group.”:

 

image

There was a bug in Exchange 2010 SP1 that was fixed in RU 3 for 2010 SP1 (http://support.microsoft.com/kb/2487852), but we are running Exchange 2010 SP2 RU1, so we were way past that.

What was the issue?  Role based administration.  We had assigned the helpdesk group the “Recipient Management” role.  When I checked the group that the helpdesk tech was trying to add the user to, I noticed that the group was a Mail Universal Security Group.  The tech had no trouble adding the user to a Mail Universal Distribution Group.

We could see the issue when the tech tried to create a new distribution group.  A distribution group type worked fine, but when he tried to create a security group he got the error that “A parameter cannot be found that matches parameter name ‘Type’”:

image

So we needed to add the management role “Security Group Creation and Membership” to the group the helpdesk team was in.

Since we were running in a resource forest setup, we needed to create a new role group, and matching Universal Security Group in the management domain and add the role group to this group.  Then we could add the users we want to it.

In our management domain, aptly named management.corp we created a group called Group-HelpDesk-SecurityGroup and add our helpdesk technicians to this group.  Then in the Exchange Management Shell, as an Organization Admin we run:

$remotecred = get-credential

This will cause a windows pop up box, where we need to enter our security credentials for management.corp for later.

Then run:

New-RoleGroup “NameofRoleGroup” –LinkedForeignGroup Group-Helpdesk-SecurityGroup –LinkedDomainController DC01.management.corp –LinkedCredentials $remotecred –Roles “Security Group Creation and Membership”

Now, have the helpdesk technicians close and reopen their Exchange Consoles or Exchange Management Shell and they should be able to add the group members to distribution lists, as well as security groups.

ADDED BONUS:

If your wondering how to create a linked group and assign it to a role, follow the below.  In this case we want to add a group called REMOTE-ORGMGMT to the role “Organization Management” in Exchange 2010.

Create group in management.corp called “REMOTE-ORGMGMT” and add the admins to this group that you want to have this right.  In the Exchange Management Shell run:

$remotecred = get-credential

This will cause a windows pop up box, where we need to enter our security credentials for management.corp for later.

$roles = Get-RoleGroup “Organization Management”

New-RoleGroup “MANAGEMENT-OrganizationManagement” –LinkedForeignGroup “REMOTE-ORGMGMT” –LinkedDomainController DC01.management.corp –LinkedCredentials $remotecred –roles $roles.roles

Then have the Management.corp admin users close and re-open their Exchange Management Consoles and you should be all set.

Comments;

  1. Hey just wanted to give you a quick heads up. The text in your post seem to be running off the screen
    in Chrome. I’m not sure if this is a formatting issue or something to do with web browser compatibility but I thought I’d post to let you know.
    The design and style look great though! Hope you get the issue solved soon.
    Kudos

    Reply
  2. Great information. Lucky me I recently found your blog by chance
    (stumbleupon). I’ve saved as a favorite for later!

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *