So have issues where after updating our AD schema to 2010, the child domains that are part of our discontiguous name space (not disjointed) cannot manage group memberships for groups that they own from within Outlook (multiple versions). DL managers keep getting the error "Changes to the distribution list membership cannot be saved. you do not have sufficient permissions to perform this operation on this object". We haven't upgrade any but a few clients to the Exchange 2010 yet, none of the users having this issue are on exchange 2010 yet. My thought is some default behavioral changes occurred within AD which are affected our Exchange 2007 users.
I'm familiar with the following articles regarding changes in Exchange 2010:
http://blogs.technet.com/b/exchange/archive/2011/05/04/how-to-manage-groups-with-groups-in-exchange-2010.aspx
http://blogs.technet.com/b/exchange/archive/2009/11/18/3408844.aspx
However, neither article can explain why this would not be an issue in the child domains that contain Exchange, but is an issue in child domains that are part of our discontiguous name space. We also have a semi-disjointed name space due to our NetBIOS domain name of the domain is not the same as the domain DNS prefix. I say semi-disjointed as the AD team tells it's not, but according to the Exchange articles it is. I won't go into how it all got this way because it all political and happened before I took over as EA for our company. Also, I have confirmed that there are global catalogs at the sites these users are having issues.
Here is a representation of our forest:
Root forest domain: companyname.com (WINS Name:co)
Child domain 1: corp.companyname.com (WINS Name:co-corp)
Child domain 2: prod.companyname.com (WINS Name:co-prod)
discontiguous name space domains:
Parent Domain: othercompanyname.com (WINS Name:othercompanyname)
Child domain 1: us.othercompanyname.com (WINS Name:us)
Child domain 2: uk.othercompanyname.com (WINS Name:uk)
Any thoughts?