Owners of an on-premises distribution group that's synced to Office 365 can't manage the distribution group in Exchange Online


When an on-premises distribution group is synced to a Microsoft Office 365 organization through Active Directory synchronization, migrated users who are owners of the distribution group can't manage it in Microsoft Exchange Online. For example, a user may receive an error message that resembles the following:
The action '<cmdlet>', '<property>', can't be performed on the object '<name>' because the object is being synchronized from your on-premises organization. This action should be performed on the object in your on-premises organization


Distribution groups that are created in Office 365 through directory synchronization must be managed in the on-premises environment. Distribution group owners must manage the group by using on-premises tools for Exchange Server such as the following:
  • Exchange Admin Center
  • Exchange Management Console
  • Exchange Management Shell
After changes are made to the group in the on-premises environment, the changes are synced to Office 365 the next time that directory synchronization runs. Or, to see the changes immediately, you can force directory syncronization. For more info about how to force directory synchronization, go to the following Microsoft website: We strongly recommend that you use native Exchange tools to manage distribution groups and mail-enabled security groups in your on-premises environment. For more info, go to the following Microsoft websites:


Currently, directory synchronization syncs the managedBy attribute of the distribution group. In this situation, the global address list (GAL) correctly displays the distribution group owner. However, this owner can't manage the distribution group because the access control list (ACL) for the group doesn't grant permissions to the owner.

Additional tools for managing distribution groups

There are additional on-premises tools that can be used to modify group membership.
  • Active Directory Users and Computers

    Admins can use Active Directory Users and Computers to modify group membership. For more info, go to the following Microsoft website:
  • Dsquery.exe

    Users can use the Dsquery.exe tool to manage group membership. To do this, users can create a desktop shortcut to the Dsquery.exe user interface and use this tool to update the distribution group. You must have the Remote Server Administration Tools (RSAT) installed on users' computers to use DSQuery.exe on a non-server version of Windows Vista Service Pack 1 (SP1) or a later version.

    For more info about how to install and enable RSAT, go to the following Microsoft website: To create the desktop shortcut to the Dsquery user interface, follow these steps:
    1. Right-click an area on the desktop, point to New, and then click Shortcut.
    2. Type the following in the box, and then click Next:
      C:\windows\system32\rundll32.exe dsquery,OpenQueryWindow
    3. Type a name for the shortcut, and then click Finish.
    After these steps are performed, the changes will appear in Office 365 after directory synchronization runs. Or, you can force directory synchronization to see the changes immediately.


For more info about troubleshooting managing distribution groups in Office 365, see the following Microsoft Knowledge Base article:
2731947 "You don't have sufficient permissions" error when you try to remove or make a change to a distribution group in Office 365

Still need help? Go to Microsoft Community.

Artikel-id: 2417592 – senaste granskning 16 dec. 2016 – revision: 1