We have thousand's of DL's and want to allow owners to change membership with the ARS web interface. (we are on ver 6.9) We are in the process of moving to o365 and once a user's mailbox is moved to the cloud he cannot manage the on-prem group through Outlook. I have some users that have the add/remove option on the web page and others that do not.
Is there a template I can use for this? And how can I export all the ARS settings being applied to a user so I can compare a working vs non-working user?
The simplicity of delegating group management permissions depends on whether you have populated the ManagedBy AD attribute and/or the SecondaryOwners AR Virtual attribute on your groups. If these are in place, then you easily delegate group membership management using a built-in access template (Manage Group Membership) using the above mentioned built-in AR security principals as the Trustees. As far as comparing permissions between users, you need to consider two things: 1) Examining the delegations on the OUs containing your groups 2) Comparing the group memberships of the users in question and how they stack up against the groups delegated to manage groups As for an automated mechanism for performing the checks, Powershell would be your friend. For item 1, the Get-QARSAccessTemplate link cmdlet can help you audit the permissions. For the other, a simple script that can compare the group memberships between users will do the trick.