1.) Yes, adding the individual admin users in our case (not a domain group-not sure if that would work, see below).
2.) Just the managed by permission itself-the checkbox has no effect and isn't necessary 3.) Yes, only mail-enabled objects will show in EAC (groups and users). Not sure if you can add non-mail-enabled via powershell, but it might work. I say that because one of our exchange admin user accounts is a non-mail-enabled user, but as a member of the mail-enabled DL group that is the primary owner group assigned on all DL groups, that account can manage these groups via EAC. 4.) I also created the special RBAC role to limit what the DL owners can do as per the following (still applies to 2013). You will have to see if you want this one or not, but in our case it was the only way to limit down the access so they can't create/remove DLs in addition to managing memberships: http://blogs.technet.com/b/exchange/archive/2009/11/18/how-to-manage-groups-that-i-already-own-in-exchange-2010.aspx Good luck! -Bonnie From: [email protected] [mailto:[email protected]] On Behalf Of Aakash Shah Sent: Wednesday, May 07, 2014 2:06 PM To: [email protected] Subject: [Exchange] RE: Managing DLs with Groups Bonnie: Thanks for the information! We don't have Exchange 2013 yet (but we should shortly), so I'll try this out then. To clarify, is this what you did to be able to use groups in Exchange 2013: 1. Create a new global Security group called something like Exchange All DL Admins and add Exchange Admins into this group. 2. Assign Exchange All DL Admins to have Managed By permission and Manager can update membership list permission. 3. Log into EAC using one of the users that is now a member of Exchange All DL Admins and then add an existing group as an Owner. Can you specify non mail enabled security groups, or can you only choose DL groups? Thanks, -Aakash Shah From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Miller Bonnie L. Sent: Wednesday, May 7, 2014 12:50 PM To: [email protected]<mailto:[email protected]> Subject: [Exchange] RE: Managing DLs with Groups I ran across this during our 2007 to 2013 migration, and thankfully this is not accurate for 2013-you can use groups. For ours, I first added a new global dl managers group via AD as the manager, and then within EAC, using an account that is a member of the global dl managers group, I was able to add additional groups for those DLs that are delegated for management (previously done via direct AD permissions). As far as auditing, I'm not sure how they are stored, but you would probably have to use PS to get information from the DLs via Exchange, as when viewing the managedby attribute in AD, it only shows the first one applied. -Bonnie From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Aakash Shah Sent: Wednesday, May 07, 2014 12:32 PM To: [email protected]<mailto:[email protected]> Subject: [Exchange] Managing DLs with Groups I just learned that with Exchange 2010 and Exchange 2013, you can no longer manage DLs with groups as per http://blogs.technet.com/b/exchange/archive/2011/05/04/how-to-manage-groups-with-groups-in-exchange-2010.aspx. Besides the workarounds mentioned on the blog above, are there any other workarounds/solutions that people have used to address this problem? My goal primarily is to be able to quickly audit a user's permission to identify what access permissions they have, ideally through the Member Of tab along with the rest of the user's permissions. Thanks, -Aakash Shah
