I was going to use managedBy and Secondary owners to allow some delegated Exchange management. If you add users to secondary owners it grants native read/write membership to manage through Outlook for mail enabled groups and a side benefit is it delegates the users read/write membership in ARS. The issue is, for the last user listed, If you clear the attribute without first unchecking "Secondary owners can update membership list" and Clicking Apply, then Clearing the Secondary Owners; The native security permission stays.
I was thinking about using a policy script to work around this issue by determining if they are clearing edsvaSecondaryOwners and If so on Pre-Modify clearing edsvaSecondaryOwnersCanUpdateMembershipList first.
Has anyone noticed this issue in 6.7 or 6.8 and worked around it?