How to change a UDG to a USG in Exchange 2010


 

Hmm how hard can it be … Right?

Isn't is as easy as opening ADUC and changing the Group type from Distribution to Security?

Actually this not as straightforward as you might think. There is one step in this procedure that

can be easy to miss, resulting in a failure to apply the new Security group to an Exchange object.

 

If you want to skip the explanation, jump directly to the Solution section at the bottom of this blog entry.

 

Explanation

Allow me to demonstrate the problem.

So we have a group named Sales with the Recipient Type Details Mail Universal Distribution Group.

image

Now since we do not have any option within the Exchange Management Console or Powershell, to
change the Group type from Distribution to Security we need to use Active Directory users and computers.

We open ADUC and take properties of  the Group Sales, then we change the Group type from Distribution to Security.

image

Checking back in EMC we can see that the Recipient Type Details has been updated.
We have a Mail Universal Security Group instead of a Mail Universal Distribution Group.

image

Now, let’s use this group to set permissions.

Start Outlook and add the group Sales with permissions to my Calendar folder.

  image   

Add the Sales group to the Calendar folder and press ok.

image 
One or more users cannot be added to the folder access list. Non-Local users cannot be given rights on this server.

Did you notice the Deny circle sign on the sales group?

 image 

You may receive an error message in Outlook 2007 when you try to set permissions for a distribution group on a mailbox folder in Exchange Server 2007
http://support.microsoft.com/kb/941318

Workaround suggested by KB:

To work around this issue, create security groups instead of distribution groups. Then, set folder permissions or set delegate permissions for the security groups.

 

Didn't we just change the Group type from Distribution to Security?

 

Let’s demonstrate another problem we would have with this Sales group.

 

Let’s say we want to add this Sales group with permission to a Public Folder using ExFolders.

For those of you that do not know Exfolders, information about this tool is provided here.

Exchange, meet ExFolders
http://msexchangeteam.com/archive/2009/12/04/453399.aspx

So we start ExFolders.

We select my Public Folder named Support

Right click and select Folder permissions.

image

image

Press Add and type Sales

Press Search

we get the Selected user ‘CN=Sales,CN=Users,DN=repro,DC=com’
( Well it’s a group but the UI does not update this )

When we press OK to add this Sales group to the ACL we get the following result.

image  
An Error occured. Exception: Cannot use Sales as security principal Parameter name: securityPrincipal

 

Hmm. OK let’s check the SecurityPrincipal  on the group Sales

image

The RecipientTypeDetails shows MailUniversalSecurityGroup, which is correct! But still we are unable to use this group.

Conclusion

So, just using ADUC to change the group type is not enough.

I found the following information provided by the Romanian Exchange team.

Automatic Conversion of UDG in USG in Exchange 2007
http://blogs.technet.com/b/ehlro/archive/2010/05/11/automatic-converison-of-udg-in-usg-in-exchange-2007.aspx

In the process of manual conversion of an UDG to USG, please pay attention of a strange behavior that takes place, for each converted group: because of the manual conversion handling, the „msExchRecipientDisplayType“Attribute is not updated as expected in AD. As a consquence already converted UDG in USG are still showed (displayed) with a red Deny circle sign. Outlook 2007 will not be able to use those groups any further, although they are now the right USG, after conversion. In other words, in Outlook GAL, when you try again to assign permission for the required UDG, already manually converted to USG, those are displayed with the red deny sign. Fortunately there is a way to overcome this: just open Exchange Management Shell and for the converted USG run the following cmdlet ("set-distributiongroup") to update the attribute accordingly. You don’t have to specify any parameter, just the ID one.

For example: Set-DistributionGroup –id:Test1Group

Now you will be able to use those groups for assigning Outlook permissions. Of course don’t forget about AD replication and OAB generation in order to see the updated status of those groups.

 

So i brought up Exchange powershell again on my Exchange 2010 server.

Running the following command:  Set-DistributionGroup –identity Sales

image

Members can’t remove themselves from security groups. Please set the group to Closed for requests to leave.

Set-Distributiongroup–identity Sales –MemberDepartRestriction Closed

After running the above powershell command, I am able to use this Sales group in Outlook and Exfolders to assign proper permission to Exchange objects without any issues.

 

Solution

Exchange 2010

Open ADUC and change the Group Type for your group from Distribution to Security.

Start Exchange Powershell and run the following command:  

Set-Distributiongroup–identity <DistributionGroupIdParameter> –MemberDepartRestriction Closed


Exchange 2007

Open ADUC and change the Group Type for your group from Distribution to Security.

Start Exchange Powershell and run the following command:  

Set-Distributiongroup–identity <DistributionGroupIdParameter>

Comments (11)

  1. Ange says:

    Hey nice work on the article Peter!  It would be nice if they could link this blog from the article site (Article 941318) as I had exactly the same issue as above.  Cheers!  :o)

  2. Rob says:

    Thanks for this article, it helped out a lot.  One typo I noticed in your command

    Set-Distributiongroup–identity <DistributionGroupIdParameter> –MemberDepartRestriction Closed

    There needs to be a space after "Set-Distributiongroup".  I tried copying and pasting your command and only changing the name of my specific group and it failed.  It worked successfully after adding the space.

    Thanks

  3. Sachin Raj says:

    How can I change a Distribution list to Security Group using "Only Exchange Management shell"

    -sachin

  4. Gene Laisne says:

    Just like to take a moment to let you know that this blog posting has saved me on several occasions! Thanks for taking the time to write it.

    –Gene

  5. Timo says:

    Great article! Thanks!

  6. Smadeti says:

    Excellent Peter…. Thank you ! You saved my day.

  7. Apoc70 says:

    Thanks. You still need to know the legacy stuff.

  8. Christian says:

    There might be one step missing for Exchange 2013:

    Make sure you have set the MemberJoinRestriction of your Distribution Group to closed before converting it to a Security Group using the following PowerShell Command:

    Set-Distributiongroup–identity <DistributionGroupIdParameter> –MemberJoinRestriction Closed

    Afterwards I was able to convert the Distribution Group to a Security Group and use it to assign proper permission to Exchange objects.

    See also:

    social.technet.microsoft.com/…/mailbox-permission-dl-and-security-group-red-cross

  9. Krishna says:

    Thanks a lot..!!  

    Is there a way to convert Mail-Enabled Security groups to Distribution groups? I would need a script or one-liner please?

    Thanks in advance.

  10. Jackie says:

    THANK YOU! Changing membership leaving to "closed" fixed it for me.

  11. CV says:

    Thanks for the blog, it helped me resolve an issue at work! Once I removed the space as indicated above, it worked perfectly. -Set-Distributiongroup -identity Tic"&"Tac -MemberDepartRestriction Closed.

    As indicated in the "TicTac" name example above, I also discovered that if your security group has a ampersand in the name, you have to put quotes around the ampersand, example Tic"&"Tac. You post is very much appreciated.  

Skip to main content