Letting group owners manage synchronized DLs in single tenant multi exchange hybrid office 365 scenarios


In single tenant multi-exchange hybrid environments, Office 365 design can make the synchronized groups non-editable by the groups 'owners' via Outlook, especially if you are not writing back attributes to local ADs. In such environments, after migrating a user to Exchange Online, group membership administration job fall on the IT Teams' (Wintel/AD/Exchange/O365 etc.) shoulders. It is not only inconvenient for the group owner who struggling to manage his 'own' groups, it becomes a BIG headache for the IT teams. It is one of those which have a potential to increase the IT helpdesk tickets quite significantly. Losing control over their groups frustrates the group managers, which now have to depend on someone else to manage their groups after migrating to the cloud. They may even associate it with overall office 365 migration experience, not for the good reason. The problem exists only for the synchronized DLs. The fix is out of your hands, the problem is mostly rectifiable.

What can you do in such situations? You want to delegate the group management to their owners but definitely don't want to give them any admin rights into Exchange. Below have couple suggestions, none of them are ideal. Each has its own merits and demerits:

1. Convert all groups to cloud-based groups. [Not Recommended]
2. Dedicate a resource to do in on the owner's behalf. [Better then cloud-based option]
3. Have group owners edit the memberships directly in the AD. - DSQuery
%systemroot%\system32\rundll32.exe dsquery.dll,OpenQueryWindow [Better than other two options, Recommended]

Cloud-based groups

Cloud accounts do not have this problem. Converting some groups to 'cloud only' complicates the environment because you can no longer keep AD as the source of group creation and management (remember, we are talking no write-back scenario). If you use some groups for more than just Exchange, e.g. for delegating special permissions in the local domain, you'll have a tough time keeping the two copies consistent (one on-prem and other in the cloud) now that cloud ones need to be updated manually or via a script.

Dedicate a resource

Dedicate a team of resources to manage groups on the owner's behalf. It is not ideal but still better than managing cloud-based groups. It needs user education and awareness and they have to rely on the resource team for making changes. Some organizations will add this additional work of managing groups on the existing teams.

Using DSQuery

DSquery is a built-in command line tool for Active Directory. It was introduced with Windows Server 2003 but is still available in modern Windows computers & servers. If you want to find a user quickly in a local AD domain from the command prompt, you can use this utility on any domain-joined PC even as a normal user. Of course, you can't change anything unless you have got some permissions assigned to your account. But hey, the group managers do have permissions over their groups, right? hell yes!

Using this utility, you can have the group owners edit the memberships directly in the AD, which will sync up to Azure AD / O365 on the next AAD connect synchronization cycle.

The utility is fairly easy to use even by a non-IT person. Just enter the string I mention below in the "RUN" cmd (Windows + R) or Command Prompt. Admins can save a .bat file for the group managers on their Desktop to help them access this easily. 

How to access it? Just open Run Command window, Enter the string below and press Enter
%systemroot%\system32\rundll32.exe dsquery.dll,OpenQueryWindow


Caveat: The DSQuery utility will work only when the manager is in the corporate domain, or when connected to it via VPN/Direct Access.

I understand all the options are only workarounds only some of you may already be aware of them. 


I welcome you to write your comments here..