Consider the following scenario:
- In a hybrid environment, groups are synchronized from the on-premises environment to Microsoft Office 365.
- In the on-premises environment, you can only set one entry in the Managed by field for the local Active Directory Domain Service (AD DS).
- Users who are group owners (that are also synchronized from the local AD DS) and have their mailboxes in Office 365 use the Dsquery.exe tool to manage the groups, as per the recommended method in the following Microsoft Knowledge Base article:
2417592 Owners of an on-premises distribution group that's synced to Office 365 can't manage the distribution group in Exchange Online
In this scenario, users can't manage the groups.
This is default behavior because the local AD DS reads the permissions that are set on the local AD group. Because these users are not listed in the local AD permissions, they are unable to edit group membership.
To resolve this issue, you may have to assign owner permissions to more than one user. Although the purely Office 365 groups can have multiple owners set, the hybrid setup requires additional action:
Add permissions for the users who have to manage the groups from Exchange Management Shell:
Add-ADPermission -Identity "All Staff" -User UserName -AccessRights WriteProperty -Properties "Member"
For more information about this cmdlet, see Add-ADPermission.
You can use the following cmdlet to check permissions:
Get-ADPermission Contoso.com -User UserName
Note If you receive an “Access Denied” error message when you run the Add-ADPermission cmdlet, follow the instructions in the following Microsoft Knowledge Base article:
2983209 Access denied when you try to give user "send-as" or "receive as" permission for a Distribution Group in Exchange Server 2010 or Exchange Server 2013