How to change a UDG to a USG in Exchange 2010

 

Hmm how hard can it be … Right?

Isn't is as easy as opening ADUC and changing the Group type from Distribution to Security?

Actually this not as straightforward as you might think. There is one step in this procedure that

can be easy to miss, resulting in a failure to apply the new Security group to an Exchange object.

 

If you want to skip the explanation, jump directly to the Solution section at the bottom of this blog entry.

 

Explanation

Allow me to demonstrate the problem.

So we have a group named Sales with the Recipient Type Details Mail Universal Distribution Group.

image

Now since we do not have any option within the Exchange Management Console or Powershell, to
change the Group type from Distribution to Security we need to use Active Directory users and computers.

We open ADUC and take properties of  the Group Sales, then we change the Group type from Distribution to Security.

image

Checking back in EMC we can see that the Recipient Type Details has been updated.
We have a Mail Universal Security Group instead of a Mail Universal Distribution Group.

image

Now, let’s use this group to set permissions.

Start Outlook and add the group Sales with permissions to my Calendar folder.

  image   

Add the Sales group to the Calendar folder and press ok.

image 
One or more users cannot be added to the folder access list. Non-Local users cannot be given rights on this server.

Did you notice the Deny circle sign on the sales group?

 image 

You may receive an error message in Outlook 2007 when you try to set permissions for a distribution group on a mailbox folder in Exchange Server 2007
https://support.microsoft.com/kb/941318

Workaround suggested by KB:

To work around this issue, create security groups instead of distribution groups. Then, set folder permissions or set delegate permissions for the security groups.

 

Didn't we just change the Group type from Distribution to Security?

 

Let’s demonstrate another problem we would have with this Sales group.

 

Let’s say we want to add this Sales group with permission to a Public Folder using ExFolders.

For those of you that do not know Exfolders, information about this tool is provided here.

Exchange, meet ExFolders
https://msexchangeteam.com/archive/2009/12/04/453399.aspx

So we start ExFolders.

We select my Public Folder named Support

Right click and select Folder permissions.

image

image

Press Add and type Sales

Press Search

we get the Selected user ‘CN=Sales,CN=Users,DN=repro,DC=com’
( Well it’s a group but the UI does not update this )

When we press OK to add this Sales group to the ACL we get the following result.

image  
An Error occured. Exception: Cannot use Sales as security principal Parameter name: securityPrincipal

 

Hmm. OK let’s check the SecurityPrincipal  on the group Sales

image

The RecipientTypeDetails shows MailUniversalSecurityGroup, which is correct! But still we are unable to use this group.

Conclusion

So, just using ADUC to change the group type is not enough.

I found the following information provided by the Romanian Exchange team.

Automatic Conversion of UDG in USG in Exchange 2007
https://blogs.technet.com/b/ehlro/archive/2010/05/11/automatic-converison-of-udg-in-usg-in-exchange-2007.aspx

In the process of manual conversion of an UDG to USG, please pay attention of a strange behavior that takes place, for each converted group: because of the manual conversion handling, the „msExchRecipientDisplayType“Attribute is not updated as expected in AD. As a consquence already converted UDG in USG are still showed (displayed) with a red Deny circle sign. Outlook 2007 will not be able to use those groups any further, although they are now the right USG, after conversion. In other words, in Outlook GAL, when you try again to assign permission for the required UDG, already manually converted to USG, those are displayed with the red deny sign. Fortunately there is a way to overcome this: just open Exchange Management Shell and for the converted USG run the following cmdlet ("set-distributiongroup") to update the attribute accordingly. You don’t have to specify any parameter, just the ID one.

For example: Set-DistributionGroup –id:Test1Group

Now you will be able to use those groups for assigning Outlook permissions. Of course don’t forget about AD replication and OAB generation in order to see the updated status of those groups.

 

So i brought up Exchange powershell again on my Exchange 2010 server.

Running the following command:  Set-DistributionGroup –identity Sales

image

Members can’t remove themselves from security groups. Please set the group to Closed for requests to leave.

Set-Distributiongroup–identity Sales –MemberDepartRestriction Closed

After running the above powershell command, I am able to use this Sales group in Outlook and Exfolders to assign proper permission to Exchange objects without any issues.

 

Solution

Exchange 2010

Open ADUC and change the Group Type for your group from Distribution to Security.

Start Exchange Powershell and run the following command:  

Set-Distributiongroup–identity <DistributionGroupIdParameter> –MemberDepartRestriction Closed

Exchange 2007

Open ADUC and change the Group Type for your group from Distribution to Security.

Start Exchange Powershell and run the following command:  

Set-Distributiongroup–identity <DistributionGroupIdParameter>