The action 'Update-DistributionGroupMember', 'Identity.Members', can't be performed on the object '<name>' because the object is being synchronized from your on-premises organization. This action should be performed on the object in your on-premises organization.
-or-
Changes to the public group membership cannot be saved. You do not have sufficient permission to perform this operation on this object.
This happens because Outlook tries to update the same directory where the user's mailbox exists. If the mailbox is in Exchange Online this is the Exchange Online Directory Service (EXODS) directory, which syncs with Azure AD. Since EXODS is read-only in a hybrid environment using AAD Connect, the user receives the error.
The trick workaround is to use the dsquery management interface (formerly known as the Windows Address Book way back in the Windows 95 days) to manage the on-premises group. Users can create a desktop shortcut to the dsquery user interface and use it to update the on-prem distribution groups. Optionally, you can create a GPO that pushes this desktop shortcut out to all domain-joined computers' desktops.
To create the desktop shortcut to the dsquery user interface, follow these steps:
- Right-click an area on the desktop, point to New, and then click Shortcut.
- Type the following in the box, and then click Next:
%SYSTEMROOT%\System32\rundll32.exe dsquery,OpenQueryWindow
- Type a name for the shortcut, such as "Manage Distribution Groups", and then click Finish.
The shortcut allows users to search for the group, and then add and remove users or change the group's description for groups they manage.
It's important to note that the user's computer must be domain-joined and connected to the network for this to work because the changes are written to an on-prem domain controller. After group changes are made, they will appear in Office 365 after directory synchronization runs. Or, you can force directory synchronization to see the changes immediately.
Managing a Distribution Group using the dsquery UI |
It's important to note that the user's computer must be domain-joined and connected to the network for this to work because the changes are written to an on-prem domain controller. After group changes are made, they will appear in Office 365 after directory synchronization runs. Or, you can force directory synchronization to see the changes immediately.
No comments:
Post a Comment
Thank you for your comment! It is my hope that you find the information here useful. Let others know if this post helped you out, or if you have a comment or further information.