I'm trying to create a distribution group whose members are managed by a regular user while meeting following requirements:
- This owner/manager shall only be able to manage groups owned/managed by him
- The members should only be added and removed by the groups manager - a closed group
- The group should receive emails from inside and outside of the organization
What I already tried
- Creating a distribution group in ECP and selecting a user as the owner
- Creating a distribution group via the Exchange Shell
- Modifying the group owner via ECP, AD and Exchange Shell
- Checking the "Manager can update membership list" checkbox in the "Managed By" tab
- Modifying the access rights via PowerShell
Add-ADPermission -Identity: "[GROUP]" -User "[USER]" -AccessRights ReadProperty, WriteProperty -Properties "Member"
- Waiting for days and Restarting IIS
- Exchange 2016 with latest patches
- The group is a universal distribution group
- The alias contains no special or unauthorized characters
- The Group is member of the GAL
All the listed methods are resulting in the following error message while the owner/manager is trying to change the members of his group using Outlook:
Changes to the distribution list membership cannot be saved. You do not have sufficient permission to perform this operation on this object.
Using RBAC would lead to a user having control over all distribution groups in a certain OU. Doing it right would lead to creating a new OU for each user's group and a new admin role containing this sole user linked to this specific OU.
Is there any other way to solve this one? All ideas are welcome.