Working with a client this week, one of the team showed me something interesting.
On Exchange Distribution groups, it is possible to apply multiple values to the ManagedBy attribute.
Whoa, whoa JohnnyQuest! The native tool GUIs don’t support that nor do the Active Roles interfaces.
How then? The Exchange cmdlet Set-DistributioGroup has a -ManagedBy switch and you can use syntax like @{Add=$NewManagedByPerson} with it to append to ManagedBy.
And no, you can’t see these additional users in the GUI.
The whole thing didn’t sit well with me so I looked up ManagedBy’s definition in the AD schema and it’s a single value property.
So, I asked Uncle Google for its opinion.
Came across an article that references a property called msExchCoManagedByLink.
Since we know that ManagedBy is single valued, there is magic that happens behind the scenes when we append additional values to it using Set-DistributionGroup. These additional owners are written to ‘msExchCoManagedByLink’.
Then, later, if you interrogate the ManagedBy attribute using an Exchange PoSh cmdlet, it combines the native ManagedBy with the above multi-valued attribute.
OK JohnnyQuest, this all very interesting in a nerdy sort of way but what does this have to do with Active Roles?
Through experimentation, I now know that Active Roles doesn’t understand multi-values in ManagedBy per se. BUT, interestingly enough, it does seem to use ‘msExchCoManagedByLink’ to store values placed in edsvaSecondaryOwners natively in AD…at least on Distribution Groups.