Dynamic AD Security Groups (a la Exchange)
Has the Active Directory team ever thought of making Dynamic AD Security groups like the ones in Exchange? i think it would be a good idea for the release or the next version.
In Exchange 2013, the only groups that you can enable for mail distribution (using Exchange Management Shell - Enable-DistributionGroup cmdlet) must be configured as Universal group. They can be created in Active Directory as a security group or distribution
group, but scope must be set to universal.
Then use
http://technet.microsoft.com/en-us/library/aa998916(v=exchg.150).aspx to allow it to receive email from Exchange 2013 recipients. Once you run the enable-distributiongroup against that group, all of the appropriate fields should be automatically added to
the group.
Similar Messages
-
Using domain security groups in exchange security groups for Office 365
Hi
Is there a way to use O365 domain security groups in O365 exchange security groups. This can be done between O365 domain security groups and O365 SharePoint groups.
BR // IlleSorry I missed your reply.
I don't believe there is a way to do this yet, security groups used within exchange need to be mail-enabled security groups, these can't then be edited from the office365 portal, just the Exchange administrative centre portal.
It looks like you currently still need to keep these separate.
If you use DirSync and sync from your own domain then it is possible, since you manage the groups from your AD rather than Offfice365, but currently just in o365 there doesn't appear to be a way to do this.
Regards,
Denis Cooper
MCITP EA - MCT
Help keep the forums tidy, if this has helped please mark it as an answer
Blog: http://www.windows-support.co.uk
Twitter: LinkedIn: -
Dynamic Distribution Groups - Message Delivery Restrict to Security Group
Hi,
I have created a dynamic distribution group and want to restrict mail delivery to only accept messages from members of a security group. How do I achieve this?
The idea is the DDG's are set with their criteria and if anyone leaves/joins the relevant SG then they will have permission to send to those DDG's.
Thanks in advance.Hi ,
In exchange management console it is very simple to provide the access.Please follow steps.
1.Open the Exchange Management Console (EMC)
2.Locate the distribution list .
3.Right-click on it and select Properties
4.Open the Mail Flow Settings tab
4.Select Message Delivery Restrictions
5.Then select the option only senders in the following list and add the DL that you would like to provide access to send email to that group.
Thanks & Regards S.Nithyanandham -
Exchange 2010 Unable to Assign Full Access Permissions using a Security Group
I've been running into this issue lately. I cannot seem to use groups to allow full access to mailboxes. When I add them from the EMC, it will show up when you go to "Manage Full Access Permission...". After waiting a day and even restarting
the Information Store service, the permissions do not take effect. When I view the msExchDelegateListLink attribute of the mailbox account, the group is not listed.
When I grant a user full permission, it works and updates the attribute. However, on occasion when I revoke the full access permission for a user is doesn't always remove that user from the msExchDelegateListLink attribute. So the mailbox
will still appear in Outlook, but the user isn't able to see new emails.
Any ideas on what may be going wrong?
Environment:
Exchange Server 2010 SP1 Standard
Windows Server 2008 R2 Standard
Outlook 2010 SP1 (tried without SP1 as well)
I was looking over Add-MailboxPermission on Technet (http://technet.microsoft.com/en-us/library/bb124097.aspx) and I noticed that it doesn't mention adding groups. Is this not possible?I never got a proper fix.
I worked around it by creating a script which gets the members of an AD Mail Enabled security group, and updates the full access based on the groups members.
Here's a script I'm running every hour which updates permissions. It's probably not the most efficient script ever, but it works. It has several benefits
1. Managers of the distribution group can add/remove mailbox members using OWA or through the address list
2. New members of groups are added to FULL Access Permissions
3. Members removed from the groups are removed from FULL access permissions
4. Automapping works :)
5. Maintains a log of access added / removed / time taken etc.
Obviously I have had to remove domain related information, replace with whatever your domain requirements are, and PLEASE debug it properly in your environent first, don't complain to me if it wipes out a load of access for you or something like that!
It takes about 5 minutes to run in my environement. Some formatting seems to have got messed up on here, sorry. I hope it is of use!
# Mailbox Permissions Setter for Exchange #
# v1.1 #
# This script will loop through all mailboxes in Exchange and find any where #
# the type is 'SHARED'. These should be determined to be a GROUP/SHARED mailbox #
# and access to these mailboxes are controlled by a single ACL, e.g. 'ACL_Shared_Mailbox'. #
# This script will add any members of these ACLs directly to the Full Access Permissions #
# of the mailbox and also remove them if they no longer need the access. #
# Script created by Jon Read, Technical Administration
# Recent Changes
# 15/11/2012
# 1.1 Added exclusions for ACLs that we don't want automapping to happen for
# 12/11/2012
# 1.0 Initial script
#Do not change these values
Add-PSSnapin *Ex*
$starttime = Get-Date
$logfile = "C:\accesslog.txt"
$logfile2 = "C:\accesslog2.txt"
$totaladditionstomailboxes = 0
$totalremovalsfrommailboxes = 0
$totalmailboxesprocessed = 0
$totalmailboxesskipped = 0
# Exclude any ACLs that shouldn't be processed here if they are used for a non-standard purpose and
# we don't want FULL access mapping to happen. Seperate array values with commas
$ExcludedACLArray = "DOMAIN\ACL_ExcludedExample"
Write-Output " " >> $logfile
Write-Output " " >> $logfile
Write-Output "#----------------------------------------------------------------#" >> $logfile
Write-Output "# Mailbox Permissions Setter for Exchange #" >> $logfile
Write-Output "# v1.1 #" >> $logfile
Write-Output "#----------------------------------------------------------------#" >> $logfile
Write-Output " " >> $logfile
Write-Output " " >> $logfile
Write-output "Start time $starttime ">> $logfile
Write-Output " " >> $logfile
Write-Output " " >> $logfile
# Set preferred DCs and GCs
$preferredDC = "preferredDC.domain"
$preferredGC = "preferredGC.domain"
Write-Output " PreferredDC = $preferredDC ">> $logfile
Write-Output " PreferredGC = $preferredGC " >> $logfile
Set-ADServerSettings -PreferredGlobalCatalog $preferredGC -SetPreferredDomainControllers $preferredDC
# The first part of this will ADD permissions to the mailbox, reading from an associated ACL.
# Check for all mailboxes where the type is SHARED. These are the only ones we would
# want to apply group mailbox permissions to.
foreach ($mailbox in get-mailbox -resultsize "unlimited" | where-object {$_.RecipientTypeDetails -eq "SharedMailbox"})
$totalmailboxesprocessed = $totalmailboxesprocessed + 1
Write-Output " " >> $logfile
Write-Output " " >> $logfile
Write-Output "|-------------------------------------------------------" >> $logfile
Write-Output "| MAILBOX ADDITIONS: $mailbox " >> $logfile
Write-Output "|-------------------------------------------------------" >> $logfile
$mailbox=$mailbox.ExchangeGuid.ToString()
# For each of them, get the distribution list applied to the mailbox (Starting DOMAIN\ACL_)
# We then need it to be turned into a string to use later.
#Declared $changes as 0. if this is set to 0 at the end of the mailbox job, we know no changes were made.
$changes = 0
foreach ($distributiongroup in get-mailbox $mailbox | Get-MailboxPermission | Where-Object {$_.User -like "DOMAIN\ACL_*" })
$skipACL = 0
#Get the distribution group and put the name in a useable format
$distributiongroup=$distributiongroup.user.tostring()
Write-Output "Found ACL $distributiongroup" >> $logfile
# Check if this distribution group needs to be excluded and if it shouldn't be processed
# then move onto the next ACL. This will stop FULL access being granted if the mailbox is
# used for a non-standard purpose. See the start of this script
# for where these are excluded (ExcludedACLArray)
foreach ($ACL in $ExcludedACLArray )
if ($distributiongroup -eq $ACL)
$skipACL = 1
Write-Output "ACL $distributiongroup is excluded so skipping mailbox " >> $logfile
$totalmailboxesskipped = $totalmailboxesskipped + 1
if ($skipACL -eq 0)
# Get each user in this group and for each of them, add try to add them to full access permissions.
foreach ($user in Get-DistributionGroupMember -identity $distributiongroup)
# Get the user to try, convert to DOMAIN\USER to use shortly
$user="DOMAIN\" + $user.alias.ToString()
# Check to see if the user we have chosen from the ACL group already exists in the full access
# permissions. If they do, set $userexists to 1, if they do not, leave $userexists set to 0.
# Set $userexists to 0 as the default
$userexists = 0
foreach ($fullaccessuser in get-mailbox $mailbox | Get-MailboxPermission)
# See if the user exists in the mailbox access list.
# Change $fullaccessuser to a useable string (matching $user)
$fullaccessuser=$fullaccessuser.user.tostring()
if ($fullaccessuser -eq $user)
$userexists=1
# Break out of foreach if the user exists so we don't unnecessarily loop
break
# Now we know if the user needs to be added or not, so run code (if needed) to add
# the user to full access permissions
if ($userexists -eq 0)
Add-MailboxPermission $mailbox –user $user –accessrights "FullAccess"
Write-Output "Added $user " >> $logfile
$changes = 1
$totaladditionstomailboxes = $totaladditionstomailboxes + 1
#Now repeat for other users in the ACL
#if changes were 0, then log that no changes were made
if ($changes -eq 0)
Write-Output "No changes were made." >> $logfile
Write-Output " " >> $logfile
Write-Output " " >> $logfile
Write-Output "---------------------------------------------------------------------------------" >> $logfile
Write-Output " FINISHED ADDING PERMISSIONS" >> $logfile
Write-Output "---------------------------------------------------------------------------------" >> $logfile
Write-Output " " >> $logfile
# The second part of this will REMOVE permissions from the mailbox, reading from an associated ACL.
## Check for all mailboxes where the type is SHARED. These are the only ones we would
## want to apply group mailbox permissions to.
foreach ($mailbox in get-mailbox -resultsize "unlimited" | where-object {$_.RecipientTypeDetails -eq "SharedMailbox"})
Write-Output " " >> $logfile
Write-Output " " >> $logfile
Write-Output "|-------------------------------------------------------" >> $logfile
Write-Output "| MAILBOX REMOVALS : $mailbox " >> $logfile
Write-Output "|-------------------------------------------------------" >> $logfile
$mailbox=$mailbox.ExchangeGuid.ToString()
#Declared $changes as 0. if this is set to 0 at the end of the mailbox job, we know no changes were made.
$changes = 0
# For the current mailbox, get a list of all users with FULLACCESS, and then for each of them
# check if they exist in the ACL
foreach ($fullaccessuser in get-mailbox $mailbox | Get-MailboxPermission | Where-Object {$_.Accessrights -like "FullAccess" })
# Get the security identifier (SSID) of the FULLACCESS user to store for later.
$fullaccessuserSSID=$fullaccessuser.user.SecurityIdentifier.ToString()
$fullaccessuser=$fullaccessuser.User.ToString()
#If user needs to be excluded then skip this bit
#Users added or removed will only start with 07 (07$, 07T, so only run if the user starts with this.
#This stops it trying to remove NT AUTHORITY\SELF and other System entries
if ($fullaccessuser -like "DOMAIN\07*")
# Set $userexists to be 0. if we find the use user needs to remain, then change it to 1.
$userexists=0
# Check if this user exists in the ACL, if not, remove.
foreach ($distributiongroup in get-mailbox $mailbox | Get-MailboxPermission | Where-Object {$_.User -like "DOMAIN\ACL_*" })
$distributiongroup=$distributiongroup.user.tostring()
#Write-Output "Found associated distribution group $distributiongroup" >> $logfile
# Get each user in this group and for each of them, See if it matches the user in the mailbox.
foreach ($user in Get-DistributionGroupMember -identity $distributiongroup)
# Get the user to try, convert to DOMAIN\USER to use shortly
$userguid = $user.Guid.ToString()
$user="DOMAIN\" + $user.alias.ToString()
if ($fullaccessuser -eq $user)
$userexists=1
#we have found the user exists so no need to continue
break
# If userexists = 0, then they are NOT in the ACL, and should be removed from
# the full access permissions. Run the code to remove them from full access.
#CONVERT FULLACCESSUSER TO GUID AND REMOVE $FULLACCESSUSERGUID NOT $USERGUID
if ($userexists -eq 0)
Remove-MailboxPermission -Identity $mailbox –user $fullaccessuserSSID –accessrights "FullAccess" -Confirm:$false
Write-Output "Removed $fullaccessuser " >> $logfile
$changes = 1
$totalremovalsfrommailboxes = $totalremovalsfrommailboxes + 1
# if changes = 0, no changes were made to this mailbox, so log this fact.
if ($changes -eq 0)
Write-Output "No changes were made." >> $logfile
#Put the time in a displayable format
$endtime = Get-Date
$runtime = $endtime - $starttime
$runtime = $runtime.ToString()
$runtime1 = $runtime.split(".")
$totaltime = $runtime1[0]
Write-Output " " >> $logfile
Write-Output " " >> $logfile
Write-Output "|-------------------------------------------------------------------------------------- " >> $logfile
Write-Output "| SCRIPT COMPLETE : STATS " >> $logfile
Write-Output "|-------------------------------------------------------------------------------------- " >> $logfile
Write-Output "| Total Mailboxes Processed : $totalmailboxesprocessed " >> $logfile
Write-Output "| Total Additions : $totaladditionstomailboxes " >> $logfile
Write-Output "| Total Removals : $totalremovalsfrommailboxes " >> $logfile
Write-Output "| Total Mailboxes Skipped due to ACL : $totalmailboxesskipped " >> $logfile
Write-output "| Start time : $starttime ">> $logfile
Write-output "| End time : $endtime ">> $logfile
Write-Output "| **END OF RUN** - Elapsed time : $totaltime " >> $logfile
Write-Output "|---------------------------------------------------------------------------------------" >> $logfile
Write-Output " " >> $logfile -
How to create a security group to manage a Distribution list in exchange 2013
Hi folks,
We have AD synced with Online Exchange 2013. Dirsync is installed on AD. We would like to create a security group for a Distribution list(for instance: distribution list name is [email protected] and it is managed via a security group named "abc" ).
How can this be achieved? I do see an option under Online Exchange console using browser-> Groups to create a new security group but it doesn't allow me to add the group created in AD-instead it ask us to create a new one. If we create a new one in Exchange
online console- will it publish to our local AD?Hi TR,
Thank you for your question.
Are there any errors when we could not add group which is in local AD.
When we could not add group which was created In AD, there are following options we could check:
If current user who logon Exchange server has enough permission to add it
The connection between Exchange server and AD
If we create a new DG in Exchange online, it will be published to local AD.
We could run the following command to create DG for abc.com:
New-DistributionGroup -Name "abc" -Alias abc -Type "Security" -MemberJoinRestriction open
We could refer to the following link to learn more about distribution group:
https://technet.microsoft.com/en-us/library/bb124513%28v=exchg.150%29.aspx
If there are any questions regarding this issue, please be free to let me know.
Best Regard,
Jim
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
Jim Xu
TechNet Community Support -
My Active Directory environment is 2003 functional level and we have Exchange 2010.
I am trying to find out the best way to do a mass edit for the "Managed by" values of our security and distribution groups.
I know we can export the "managed by" field by csvde but I am not sure this is the correct way to do it. Also in the case that there are multiple users assigned to be managing a distribution group it only shows one value. Also powershell from Exchange
2010 can be used with "get-distribution" but as our AD environment is 2003 is this correct also?
Finally once the data is exported to csv can it be edited to then reimport and udpate the existing group managed by fields with new values?
Not really sure that the best way to go about this is.
Summary - We have 2003 AD with Exchange 2010 and I am trying to export a list of all our Distribution/Security groups showing the group name and managedby values so we can edit and update the
existing managedby values with new ones. In some cases we have multiple users as the owners.
Appreciate any advice on how this can be best achieved. Thank you.Hi,
We can use the following command in Exchange 2010 to export "Managed by" field of Distribution and Security groups:
Get-DistributionGroup | Select-object Name,@{label="ManagedBy";expression={[string]::join(“;”,$_.managedby)}},Primarysmtpaddress | Export-Csv
C:\export.csv
After you changed the Managed by field in export.csv and saved it as a new file named import.csv, we can run the following command to set with new value:
Import-Csv C:\import.csv | Foreach-Object{ Set-DistributionGroup –Identity $_.Name –ManagedBy $_.ManagedBy}
Hope it works.
Thanks,
Winnie Liang
TechNet Community Support -
I need to create a security group that contains all the enabled users in AD.
This group needs to be dynamic so that when a user is disabled it is automatically removed from it
ThanksI need to create a security group that contains all the enabled users in AD.
This group needs to be dynamic so that when a user is disabled it is automatically removed from it
Thanks
We do have the concept of dynamic objects in Active Directory but that is not what you are looking for. Dynamic objects in Active Directory have specific TTL and when their TTL expires they are directly deleted and they will not be considered in Garbage
Collection.
What you need I believe is a script which 'Removes the disabled users from the group' and run it for like every 15 minutes on your domain controller. I ill update this thread as soon as I get my hands on a PowerShell.
Update: Run this as schedule task:
Get-ADGroupMember GroupTest | %{Get-ADUser -Identity $_.distinguishedName -Properties Enabled,samaccountname | ?{$_.Enabled -eq $false} | ?{Remove-ADGroupMember -Identity GroupTest -Members $_.samaccountname -Confirm:$false}}
Mahdi Tehrani |
|
www.mahditehrani.ir
Please click on Propose As Answer or
to mark this post as
and helpful for other people.
This posting is provided AS-IS with no warranties, and confers no rights. -
Exchange 2013 Mail Enable Existing Security Groups
Hello,
I can't seem to find how to mail enable an existing Security Group in Exchange 2013. Does anyone know how to do this? I have created them as Universal Security Groups in Active Directory. I see that if you create them from the Exchange
Admin Center, it will work, but I have a ton of groups with very complicated memberships that exist in AD and I would prefer not to delete them, recreate them, and adjust membership.
I looked for a cmdlet that would let me do this, but I can't seem to find one.
Does anyone know how to Mail Enable an Existing Group from Exchange 2013?
ThanksHello Stewart,
If these groups are universal security groups, you can just follow Martina's suggestion to do that.
Thanks,
Evan Liu
TechNet Subscriber Support in forum
If you have any feedback on our support, please contact
[email protected]
Evan Liu
TechNet Community Support -
Office365 Exchange Security Group not updating in Sharepoint Online
We have created a new Office365 Exchange Security Group that contains several other Exchange Security Groups. This group will not show up in either the SharePoint Web admin or SharePoint Designer views.
How can I force SharePoint to re-synchronize the Office365 Tenant users/groups?Hi,
According to your post, my understanding is that Office365 Exchange Security Group does not updating in Sharepoint Online.
How long did you wait after creating the Group to see if they show up in SharePoint Online? The back-end replication can take some time, even days from my experience.
Here is a similar thread for your reference:
http://community.office365.com/en-us/f/156/t/173994.aspx
More information:
CIAOPS: Using Office 365 security groups with SharePoint Online
Regarding SharePoint Online, for quick and accurate answers to your questions, it is recommended that you initial a new thread in Office 365 forum.
Office 365 forum
http://community.office365.com/en-us/forums/default.aspx
Best Regards,
Linda Li
Linda Li
TechNet Community Support -
Can I move the 'Microsoft Exchange Security Groups' OU?
Can I move the 'Microsoft Exchange Security Groups' OU?
OK for Exchange 2007 this is apparently supported
Q: Can I move the default Exchange security groups to another container or domain in the forest?
A: Exchange 2007 uses a new set of security groups to manage the permission model and to maintain coexistence. These groups are as follows:
Exchange Server
Exchange View-Only Administrators
Exchange Public Folder Administrators (New in Exchange 2007 Service Pack 1)
Exchange Recipient Administrators
Exchange Organization Administrators
ExchangeLegacyInterop
By default, these security groups are located in the root domain in the Microsoft Exchange Security Groups organizational unit. They can be moved to different organizational units and also to other domains in the forest. Moving the groups in the forest is supported because these groups have two unique properties: a well-known GUID and a distinguished name that can change. By using these two properties and adding them to the forest’s otherWellKnownObjects attribute during the Setup /PrepareAD task, Exchange can find the security group anywhere in the forest. The directory service will handle updating the distinguished name (DN) of the object when it is moved. In this manner, Exchange does not require a fixed location in the directory.
http://technet.microsoft.com/en-us/library/bb310792.aspx
http://www.pro-exchange.be/modules.php?name=News&file=article&sid=418Deli -
Allocating and delegating permissions in Exchange Server 2010 between two AD security group.
People,
Can anyone please assist me in where and how to assign the following two AD security group in Exchange Server 2010?
IT Admin group (Full access and permission for all AD and Exchange related).
IT Helpdesk group (can only create mailbox and modify the mailbox properties including AD distribution group and contacts).
Because in Exchange Server 2007, everything can be managed easily through the AD security group that is created during the installation such as
Exchange Organization Administrators group for full access for IT Admin team and Exchange Recipient Administrators group for managing the mailbox user for Help Desk team.
/* Server Support Specialist */Hi,
Based on my knowledge, Exchange 2010 has an Organization Management group instead of the Exchange Organization Administrators group. Use the Recipient Management group instead of the Exchange Recipient Administrators group. In your case, you can add the
IT Admin group to the Organization Management group, add the IT Helpdesk group to the Recipient Management group.
Hope this can be helpful to you.
Best regards,
Amy Wang
TechNet Community Support
Thanks, Amy,
But for some reason I cannot see those built in AD security group in my ADUC?
So should I recreate it manually by right clicking on the AD user and Console ?
/* Server Support Specialist */ -
Hello,
I'm trying to allow a mail enabled public folder permissions to send to a mail universal security group. In the past if I wanted to add a PF as an allowed sender I would do it via the AuthOrig setting on that group using adsiedit. I just noticed today
that if I add the PFs DN to that attribute of the group, nothing happens. No matter how long I wait the PF never shows up under the allowed senders list on the group. If you try and send as the PF you get a bounce about not being allowed to send to that
group. If I go back into AD and check, the PF is still listed under the AuthOrig attribute. I tried this on a few different groups and with a few different PF and I'm stumped. I think the last time I had to update this setting on a group
was before I installed roll-up 5 for SP3.
If I do the same test with a user, it works as it should and they show up in the allowed senders list.
If I take a group that isn't restricted to specific senders and add a PF DN to the AuthOrig attribute of the group, the button in the message delivery restrictions for that group in the EMC will change from all senders to only senders in the following list,
but the PF wont be listed in the box of allowed senders. If I remove it from the AuthOrig attribute the group will change back to allow all senders. It's really weird, so any help or light you can shed on this would be greatly appreciated.
-MarkHello,
I check many threads and articles, but there is no related information to verify the issue.
If your purpose is that adding a mail-enabled public folder to allowed senders on a distribution group, there is a workaround method. You can create a new distribution group, and then add the public folder to the new distribution group, and add
the new distribution group to the Only senders in the following list field of the target distribution group.
Here is an article for your reference.
http://support.microsoft.com/kb/2746885
Cara Chen
TechNet Community Support -
Unable to change members of AD security groups who have access to shared mailboxes
I have an exchange 2013 running for over a year now and never had any problems with it. Until recently.
A request came in to make a new shared mailbox. So I did just that and gave rights to a security (not mail enabled) AD group. Just like I Always do. Everything worked fine. A few hours later I did exactly the same for another request and then the people
could not access the shared mailbox. So I added my regular user to the AD group and I also couldn't (I tested it with OWA and Outlook). I tried to remove myself of one of my own shared mailboxes and the permissions wouldn't stick. When I removed the entire
group then the permissions were gone(and I could not access the shared mailbox). When I added it back I had my permissions back but still wasn't in the group. Then I tried adding a distribution group with the same result.
It seems when I add normal users directly to the permissions everything works.
When I had to restart the server a few days later. All changes were applied but I could not change it again.
i'm a bit stumped on this one. i'm out of options.Hi Jelle,
"I did exactly the same for another request and then the people could not access the shared mailbox.", I would like to verify if you give the same Security Group rights to multiple shared mailboxes.
If the security group members can't have access to all the shared mailboxes they have rights, you can recreate a security group and grant permissions to shared mailboxes one by one to check the result.
Hope this can be helpful to you.
Best regards,
Amy Wang
TechNet Community Support -
Not able to edit membership of universal security groups
I’m not able to edit membership of My Universal security groups using outlook, when I add/remove members it shows the error
“Changes to the public group membership can’t be saved. You do not have sufficient permission to perform this operation on this object”
I've already assigned the RBAC role “Security Group Creation and Membership” to a security group and the user who is editing the group is the member of this role group. I’ve also tried to assign the role directly to user, but it also did not work.
Exchange 2010, Outlook 2010.
Could someone please suggest me on this.
------- SubodhNo, I am still facing issue.
I’m not able to edit membership of My Universal security groups using outlook, when I add/remove
members it shows the error
“Changes to the public group membership can’t be saved. You do not have sufficient permission to
perform this operation on this object”
I've already assigned the RBAC role “Security Group Creation and Membership” to a security group
and the user who is editing the group is the member of this role group. I’ve also tried to assign the role directly to user, but it also did not work.
I have multi domain scenario like Exchange is in child domain and AD Users are in Parent domain.
------- Subodh -
Adding Editor Permissions to a AD Security Group
Hi,
Requirement: Add an AD Security Group with "Editor" rights on all MeetingRoom objects in the Exchange 2010 organization using Powershell.
MailEnabledDistribution Group alias = abcd1
The PS command I am running is :-
$all=Get-Mailbox -RecipientTypeDetails RoomMailbox
ForEach-Object {_.item in $all} {Add-MailboxFolderPermission -Identity ($item.alias+:\Calendar") -User abcd1 -AccessRights "Editor"}
Is this the right PS command or a better one exists to accomplish the goal.
Cheers
H
HAHi,
We can try the following commands to achieve it:
$all=Get-Mailbox -RecipientTypeDetails RoomMailbox
$all | ForEach {Add-MailboxFolderPermission -Identity “$($_.alias):\Calendar” -User abcd1 -AccessRights "Editor"}
Thanks,
Winnie Liang
TechNet Community Support
Maybe you are looking for
-
Iphone sending iMessage to all but one of my contacts, what's going on here?
So my friend and I can't seem to send iMessages between our Iphones. I have tried to delete their contact information and delete all the past conversations we have had and re-added them to my contact list. They can send me iMessages just fine. I s
-
My lock button is broken and i cant figure out how to turn my phone on with my computer, any tips?
my lock button is jammed and i read somewhere that you can turn your phone on through itunes. i have tried plugging it up to a charger and doing everything you can imagine to get the button unjammed. i cant figure out how to use itunes to get it to t
-
What can I do about my 20 inch iMac (Core Duo) doing a LOT of disk activity?
What can I do about my 20 inch iMac (Core Duo) doing a LOT of disk activity? I have iStat and can see the disk activity which halks other operations till it finishes. Is there some built-in Optimization software I should use? Thanks, Tom
-
[CS3 JS] Copying contents with styles
What's the best way to copy contents and keeping styles (and other attributes)? In this case it's the contents of a table cell I would like to get into a text frame, with its style information untouched. (Not using the clipboard.) Best regards, Andre
-
Connecting WAG320n to WRT610n using WET610n ethernet bridge
I have upgraded my network with a WAG320n Router/modem and have a WET610n (ethernet bridge) in my remote room. Because the WET is only one port, I would like to connect my old WRT610n router to the bridge, but need to know the right settings and con