16 August 2012

Check “Manager can update membership list” checkbox for AD groups

If you need to give a user permission to update active directory security or distribution group members you need to give the user write permission on the active directory group object;

This can be done using the Add-ADPermission cmdlet which is availbale only on exchange management shell (it is not included in ActiveDirectory module):

Add-ADPermission -Identity ‘AD_Group_Name’ -User ‘AD_Username’ -AccessRights WriteProperty -Properties “Member”


  1. This will not work since this command is trying to use the Exchange server computer account to perform the permission change, and the computer account does not have the required permissions.

    You should use dsacls.exe instead this way:

    dsacls.exe "CN=GroupName,CN=Users,DC=Domain,DC=Local" /G "domain\UserName:WP;member"

  2. I just tried it.. it works fine. When you run it in the Exchange Management Shell, it runs as the user account that opened the shell.