I recently went through another migration. One of the post migration tasks was to fix permission to update lists. The “ManagedBy” attribute had been copied across, but not the security descriptor from the group.

This show PowerShell script can be run from the Exchange Management Shell to grab the value from ManagedBy and write it back to the security descriptor. It’s a little messy, especially as there’s no way to check on the AD level if the box is ticked except by the security descriptor.

function Get-Groups {
    $domainSearcher = New-Object DirectoryServices.DirectorySearcher
    $domainSearcher.Filter = "(&(objectClass=group)(mail=*)(managedBy=*))"
    $null = $domainSearcher.PropertiesToLoad.Add("managedby")
    $null = $domainSearcher.PropertiesToLoad.Add("name") 
    $objSearcher.FindAll() | Select-Object @{n="GroupName";e={ $_.Properties.name }},
Get-Groups | ForEach-Object {
    Add-ADPermission -Identity $_.GroupName -User $_.ManagedBy -AccessRights WriteProperty -Properties "member"