When
EAC is used to create a role group, the Organization Management
security group is added to the list of group managers along with the
user who creates the group. Including Organization Management in the
list of group managers ensures that anyone who works with the role
group through EAC can update its properties or, when it is no longer
required, delete the group. You can see this by running the
Get-RoleGroup command. For instance:
Get-RoleGroup –Identity 'Help Desk Level 2' | Format-Table ManagedBy
ManagedBy
---------
{contoso.com/Microsoft Exchange Security Groups/Organization Management, contoso.com/Exchange users/Tony Redmond}
The
entries listed here are known as role group managers. The Organization
Management universal security group is listed here rather than the
Organization Management role group because normal Windows permissions
provide the foundation for RBAC, and the permission to change or delete
a group can only be assigned to an object that can hold Windows
security principals such as security groups or user accounts.
If
a user who is not listed in the ManagedBy property tries to change the
membership of a role group or delete the group, EAC signals the error
shown in Figure 1.
The solution to the problem is to run the Set-RoleGroup command to
update the ManagedBy property to include the Organization Management
security group. For example, if John Smith is currently listed as the
only manager of a role group, you can update the property as follows:
Set-RoleGroup –Identity 'My Role Group' –ManagedBy 'Organization Management', 'John Smith'
After running this command, any member of the Organization Management role group plus the user John Smith can manage the group.
If
one of these members deletes the role group with EAC or by running the
Remove-RoleGroup command, Exchange also removes the associated
universal security group from Active Directory.
