What's hard to wrap your mind around in MICROSOFT world is the whole disconnect between systems. In other words, it has fine-grain control. It can be connected but it isn't connected automatically by default.
So let's take this example of adding a group to AD & EAC:
- -create a group in ACTIVE DIRECTORY (AD) called TESTGROUP.
- -add people to a group.
- -go to the EXCHANGE ADMIN CENTER (EAC).
- -the group doesn't show.
If you try to add the group in the EAC, you get an error message: "Active Directory operation failed on" ... "already exists."
It's trying to tell you that you can't create the group in EAC because that group is already created in AD.
So let's add the AD GROUP so that it shows in the EAC GROUP:
- -go the AD USERS & COMPTUERS
- -double-click on the group-name-that-you-want-to-change.
- -bullet UNIVERSAL (rather than GLOBAL)
- -click OK
- -connect via POWERSHELL.
- -type: Enable-DistributionGroup -Identity "GROUP_NAME" -Alias "GROUP_ALIAS"
- -refresh the screen in the EAC and the group name will show.
Awesome! Good work.
Now when you try to make a change to the group you find that you can't change the settings for that group in EXCHANGE 2013. You get a message "You don't have sufficient permissions. This operation can only be performed by a manager of the group."
You can get around this by using the -BypassSecurityGroupManagerCheck option in the powershell and take ownership of it. Let me show you:
- -connect to via POWERSHELL.
- -type: Set-DistributionGroup -Identity testgroup -ManagedBy administrator -BypassSecurityGroupManagerCheck
This will add the ADMINISTRATOR as the OWNER of the TESTGROUP.