Solved

UnHide Group Membership in Exchange 2007

Posted on 2009-05-11
23
2,019 Views
Last Modified: 2012-05-06
I have a single Exchange 2007 server, migrated from 2003.  The Exchange 2003 Server is removed and gone.

It appeard that there where some Groups from Exchange 2003 that had their Membership Hidden, and as a result, i cannont see the member ship, nor change permissions, with Active Directory Users and Computers (ADUC).

Is there a way to UnHide/Correct the permissions for these groups?  From Exchange 2007, Powershell, VBScript, or anything else?

Let me know if more info is needed.

Thanks

0
Comment
Question by:tsprouse
  • 11
  • 11
23 Comments
 
LVL 9

Expert Comment

by:athelu
ID: 24357485
Is it hidden from both OWA and Outlook?
0
 

Author Comment

by:tsprouse
ID: 24357638
The Group Itself is not Hidden, just the Membership of the group.

For example, i can go into ADUC and open teh properties of the group, and though i know the group does have members, no members show up in the"Members" tab.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24357923

Is the group in the same domain as the users? And if not, is it Universal? Universal Group membership can only be fully enumerated in the Global Catalog unless the members are in the same domain within a Forest.

Otherwise, how do you know it has members if you can't see any? Is security on the group restrictive and preventing you seeing the "member" attribute?

Chris
0
 

Author Comment

by:tsprouse
ID: 24357984
Yes, its is in the same Domain (Only one Domain).  its a Security Group - Universal (Mail-Enabled)

If i send email to teh Group, people get the email.

Also, if i go to the Security tab in ADUC, i get the message...

"Windows Can Not Edit the permissions on <group name> because the have been written in a non-standard format by another application.  To enable editing, you must use the application to restore the permissions to a standard format."

If i hit ok, i can see all teh permissions, but not edit anything.  the one that looks out of place in "Everyone" is set to Special Access.  Clicking the Advanced button and digging deeper reveales that Everyone is set to Deny - Read Members.

I search the GoogleSphere it looks like this is related to it having the Members hidden, something that could be done in Exchange 2003 (and prior?).

0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24358096

Yeah... have you tried setting the permissions back to default?

Are there a lot of these?

Chris
0
 

Author Comment

by:tsprouse
ID: 24358223
I have not tried setting back to default, since i am not certain i know what the default is.  there appear to be quite a number of other allowed permissions on these objects (i'm not sure how many are effected), most of teh other permissions seemed to be Exchange related.

Also, it seems teh "Restore Defaults" button is greyed out.  I've attached a screen shot...
scrnsht.jpg
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24358444

Hmmm well permissions are normally set correctly higher up the tree so that they inherit to objects properly. You could always try resetting inheritance on one of the groups to see if it gets a working set.

Chris
0
 

Author Comment

by:tsprouse
ID: 24358572
agreed, but unlike Windows Folder security properties, there is not a "Replace Security on Child Object" check box on the parent OU.  just a "Include inheritable permissions from this objects parent" box.

Some forums i found have mentioned to remove the "Hide Membership" setting from the group from with Exchange (2000/2003).  but that option is no longer available, as far as i can see, in Exchange 2007.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24358700

Yeah, I know, but it still exists, just a pain it isn't exposed.

It should be possible to modify the security using PowerShell. Fancy giving that a shot?

Chris
0
 

Author Comment

by:tsprouse
ID: 24358715
i'm relativly comfortable in powershell, jsut could find how to do this.  With guidance, i'd certainly consider giving it a shot.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24358760

Excellent :)

Then this would be worth a shot (afraid I have nothing to test on here).

$Group = [ADSI]"LDAP://CN=group,OU=somewhere,DC=yourdomain,DC=com"
$Security = $Group.PsBase.objectSecurity
# Set dACLProtected (blocks Inheritance) to False, and Preserve rules to True
$Security.SetAccessRuleProtection($False, $True)
$Group.PsBase.CommitChanges()

Chris
0
 

Author Comment

by:tsprouse
ID: 24358859
Done, got no errors, see screen shot.  But still same result in ADUC.  all security is greyed out.

Ran this from my workstation in an eleveated PowerShell (win 7 rc1).  Also Ran from Exchange 07 (Server 2k3 x64 sp2) Powershell, same results.


scrnsht.jpg
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24358984

Is Exchange 2007 able to read the descriptor with:

Get-ADPermission "GroupName"

If so, we might be able to use that to correct it. Can't quite remember if that exposes inheritance though.

Chris
0
 

Author Comment

by:tsprouse
ID: 24359057
Yes, Confirmed, but as i mentions there are alot of entries.  

Apologies, but i have to head to a different building, and may not be back at my desk today.  But will be back in the AM (about 7:30est) if you're available after that, i would appreciate working with you further if you have more ideas.

here are a few of the entries listed from teh Get-ADPermissions command....
sc.jpg
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24359083

No worries, I'll catch you tomorrow. I'll be at work and will have a bit more of an environment to test on :)

Interesting, it's showing a few as inherited there.

Can you see the full set of inherited? This should do it...

Get-ADPermission "GroupName" | ?{ $_.Inherited -eq $True }

We could just remove the Everyone Deny permission for now. I'll check the syntax in the morning and post it up.

Chris
0
 

Author Comment

by:tsprouse
ID: 24363353
attached are the full results of the get-adpermissions command.

RTC entries are for Office Communications Server
Unity are for voicemail

Groups that behave normally are very similar, with the exception of teh Everyone group being deined Read Members.

get-ADpermission.txt
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24363614

Yeah, it's very similar to mine. Do you want to remove that Everyone Deny right?

Get-ADPermission "GroupName" -User "Everyone" -Access ReadProperty | Remove-ADPermission

The pipe is the easiest way to capture the entry otherwise you have to specify rather a lot for Remove-ADPermission.

Chris
0
 

Author Comment

by:tsprouse
ID: 24363806
it didnt like the -access flag, i tried without it, and it gave me an error...

"Remove-ADPermission : The ACL for the object "CN=_Executive Staff,OU=Distribution Groups,DC=ambsteel,DC=com" is not in canonical order (Deny/Allow/Inherited) and will be ignored."
sc.jpg
0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 24364274

Hmmm objectSecurity has a property for that. It should say the same:

$Group = [ADSI]"LDAP://CN=group,OU=somewhere,DC=yourdomain,DC=com"
$Group.PsBase.objectSecurity.AreAccessRulesCanonical

We could try setting a new ACL using a known-good object as a template? e.g.

$GoodGroup = [ADSI]"LDAP://CN=Good Group,OU=somewhere,DC=yourdomain,DC=com"
$GoodSDDL = $GoodGroup.PsBase.objectSecurity.GetSecurityDescriptorSddlForm("Access")

$BadGroup = [ADSI]"LDAP://CN=Bad Group,OU=somewhere,DC=yourdomain,DC=com"
$BadGroup.PsBase.objectSecurity.SetSecurityDescriptorSddlForm($GoodSDDL, "Access")
$BadGroup.PsBase.CommitChanges()

Difficult to find something to re-order the existing ACL without resorting to C++.

Chris
0
 

Author Comment

by:tsprouse
ID: 24364347
$Group.PsBase.objectSecurity.AreAccessRulesCanonical  comes back False.

after running the second list of commands, i still get the same error ont eh Group in ADUC and cant see the members.


sc.jpg
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24364422

No error from commit changes? I'm surprised.

Presumably AreAccessRulesCanonical still shows False? And Get-ADPermisssion still shows the deny?

Chris
0
 

Author Comment

by:tsprouse
ID: 24364499
No Actually.

HOORAY!!

I guess i should've waited a couple minutes and tried again before my last post.

I am now able to see teh members and teh Security tab of teh offending group from within ADUC.  And i ran teh process on another group and it works now as well.

Thank you very much for your help and perseverance.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24364533

Phew, I was thinking we'd have to resort to VbScript which would have been depressing ;)

Chris
0

Join & Write a Comment

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now