Share via

Error synching distribution groups

Anonymous
2017-01-16T19:33:26+00:00

The action 'Update-DistributionGroupMember', 'BypassSecurityGroupManagerCheck,Identity,Members', can't be performed on the object 'All_Active_Users' because the object is being synchronized from your on-premises organization. This action should be performed on the object in your on-premises organization.

This error message when trying to change a distro group on Office365 admin.  The AD group IS updated (several months ago) and synching has done nothing to alleviate the issue.  I have since removed the group from AD in an attempt to force the changes I want, but thus far the Office Admin group listing has not changed - the offending group remains with no way to enact changes thusly.

Thoughts on what I may try next?

Microsoft 365 and Office | Subscription, account, billing | For home | Windows

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

Answer accepted by question author

Anonymous
2017-01-17T06:49:04+00:00

Hi Ceepal1004,

As the error message says, distribution groups that are created in Office 365 through directory synchronization must be managed in the on-premises environment. Distribution group owners must manage the group by using on-premises tools for Exchange Server such as followings:

Exchange Admin Center, Exchange Management Console, Exchange Management Shell

After changes are made to the group in the on-premises environment, the changes are synced to Office 365 the next time that directory synchronization runs. Or, to see the changes immediately, you canforce directory synchronization.

We’d like to confirm if “The AD group IS updated (several months ago)” means you have changed the distribution group in on-premises. If yes and it doesn’t work, we need some information below for a better understanding:

  1. How and where did you update the group?
  2. How did you remove the group from on-premises AD?

Regards,

Larry

Was this answer helpful?

1 person found this answer helpful.
0 comments

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2017-01-20T14:03:49+00:00

    That would be easy to do, except we don't any form of on-prem Exchange service.  So all of the groups have been AD created and synchronized from their inception.  I tested several theories yesterday and discovered that Security groups update via Azure synch but distribution groups do not.  Changes I made were updated within 5 minutes for any security group but have yet to change for any distro group.

    By not providing a workable answer, I discovered the answer I needed to find.  Distribution groups do not work between AD and O365 Admin - likely excepting the initial creation.  OR distribution groups do not work in the latest iteration of Office365 Admin. Either way, I have some extensive evenings of reworking to do of our groups

    Thank you for your time.

    Was this answer helpful?

    1 person found this answer helpful.
    0 comments
  2. Anonymous
    2017-01-20T07:57:01+00:00

    Hi Ceepal1004,

    Thanks for your updates.

    So, the group was created from local Active Directory Users and Computers (ADUC). In this situation, the group isn’t mail-enabled. Even if we fill in the group’s Email or proxyAddress attribute and sync the group to Exchange Online, this way is not officially supported.

    We always recommend that you create the group from on-premise Exchange Server. Then the group is mail-enabled and it will be automatically synced to Exchange Online via AAD Connect. In this way, we can manage all attributes of the distribution groups using the tools I mentioned before.

    Regards,

    Larry

    Was this answer helpful?

    1 person found this answer helpful.
    0 comments
  3. Anonymous
    2017-01-19T13:14:42+00:00

    Thanks Larry.

    I used AD on the Primary DC and made changes to the group in question when they occurred (back in October).  Through the normal course of synchronization and standard updates, I never forced the change in O365 Admin, as I assumed any changes would be part of the normal course of operations.  For example, as end users have come and gone we have created or removed their email acounts and profiles - those changes are reflected in AD first and propogated to O365 Admin within 2 hours (an expectation).  Changes have been made to several group memberships based on these add/remove situations.  What I am not in a position to check today (working off-site) is whether these other groups have updated throughout the months (or not).  I do not currently use any Exchange product, save the on-line 365 management tools, so have not tried to make changes using the tools you suggested below unless they are embedded within the currently sanctions O365 set.

    I also used AD on the Primary DC to remove the group.  First I verified that the protection checkbox was off, then right-clicked and deleted.   The group in question is a global distro group.  I took screenshots of everything so can recreate it. 

    I hope this helps define the issue for you.  Please ask more questions if needed.  I'm happy to share and try anything suggested.

    Was this answer helpful?

    0 comments