UnHide Group Membership in Exchange 2007

Is it hidden from both OWA and Outlook?

The Group Itself is not Hidden, just the Membership of the group.

For example, i can go into ADUC and open teh properties of the group, and though i know the group does have members, no members show up in the"Members" tab.

Is the group in the same domain as the users? And if not, is it Universal? Universal Group membership can only be fully enumerated in the Global Catalog unless the members are in the same domain within a Forest.

Otherwise, how do you know it has members if you can't see any? Is security on the group restrictive and preventing you seeing the "member" attribute?

Chris

Yes, its is in the same Domain (Only one Domain).  its a Security Group - Universal (Mail-Enabled)

If i send email to teh Group, people get the email.

Also, if i go to the Security tab in ADUC, i get the message...

"Windows Can Not Edit the permissions on <group name> because the have been written in a non-standard format by another application.  To enable editing, you must use the application to restore the permissions to a standard format."

If i hit ok, i can see all teh permissions, but not edit anything.  the one that looks out of place in "Everyone" is set to Special Access.  Clicking the Advanced button and digging deeper reveales that Everyone is set to Deny - Read Members.

I search the GoogleSphere it looks like this is related to it having the Members hidden, something that could be done in Exchange 2003 (and prior?).

Yeah... have you tried setting the permissions back to default?

Are there a lot of these?

Chris

I have not tried setting back to default, since i am not certain i know what the default is.  there appear to be quite a number of other allowed permissions on these objects (i'm not sure how many are effected), most of teh other permissions seemed to be Exchange related.

Also, it seems teh "Restore Defaults" button is greyed out.  I've attached a screen shot...
scrnsht.jpg

Hmmm well permissions are normally set correctly higher up the tree so that they inherit to objects properly. You could always try resetting inheritance on one of the groups to see if it gets a working set.

Chris

agreed, but unlike Windows Folder security properties, there is not a "Replace Security on Child Object" check box on the parent OU.  just a "Include inheritable permissions from this objects parent" box.

Some forums i found have mentioned to remove the "Hide Membership" setting from the group from with Exchange (2000/2003).  but that option is no longer available, as far as i can see, in Exchange 2007.

Yeah, I know, but it still exists, just a pain it isn't exposed.

It should be possible to modify the security using PowerShell. Fancy giving that a shot?

Chris

i'm relativly comfortable in powershell, jsut could find how to do this.  With guidance, i'd certainly consider giving it a shot.

Excellent :)

Then this would be worth a shot (afraid I have nothing to test on here).

$Group = [ADSI]"LDAP://CN=group,OU=somewhere,DC=yourdomain,DC=com"
$Security = $Group.PsBase.objectSecurity
# Set dACLProtected (blocks Inheritance) to False, and Preserve rules to True
$Security.SetAccessRuleProtection($False, $True)
$Group.PsBase.CommitChanges()

Chris

Done, got no errors, see screen shot.  But still same result in ADUC.  all security is greyed out.

Ran this from my workstation in an eleveated PowerShell (win 7 rc1).  Also Ran from Exchange 07 (Server 2k3 x64 sp2) Powershell, same results.


scrnsht.jpg

Is Exchange 2007 able to read the descriptor with:

Get-ADPermission "GroupName"

If so, we might be able to use that to correct it. Can't quite remember if that exposes inheritance though.

Chris

Yes, Confirmed, but as i mentions there are alot of entries.  

Apologies, but i have to head to a different building, and may not be back at my desk today.  But will be back in the AM (about 7:30est) if you're available after that, i would appreciate working with you further if you have more ideas.

here are a few of the entries listed from teh Get-ADPermissions command....
sc.jpg

No worries, I'll catch you tomorrow. I'll be at work and will have a bit more of an environment to test on :)

Interesting, it's showing a few as inherited there.

Can you see the full set of inherited? This should do it...

Get-ADPermission "GroupName" | ?{ $_.Inherited -eq $True }

We could just remove the Everyone Deny permission for now. I'll check the syntax in the morning and post it up.

Chris

attached are the full results of the get-adpermissions command.

RTC entries are for Office Communications Server
Unity are for voicemail

Groups that behave normally are very similar, with the exception of teh Everyone group being deined Read Members.

get-ADpermission.txt

Yeah, it's very similar to mine. Do you want to remove that Everyone Deny right?

Get-ADPermission "GroupName" -User "Everyone" -Access ReadProperty | Remove-ADPermission

The pipe is the easiest way to capture the entry otherwise you have to specify rather a lot for Remove-ADPermission.

Chris

it didnt like the -access flag, i tried without it, and it gave me an error...

"Remove-ADPermission : The ACL for the object "CN=_Executive Staff,OU=Distribution Groups,DC=ambsteel,DC=com" is not in canonical order (Deny/Allow/Inherited) and will be ignored."
sc.jpg

$Group.PsBase.objectSecurity.AreAccessRulesCanonical  comes back False.

after running the second list of commands, i still get the same error ont eh Group in ADUC and cant see the members.


sc.jpg

No error from commit changes? I'm surprised.

Presumably AreAccessRulesCanonical still shows False? And Get-ADPermisssion still shows the deny?

Chris

No Actually.

HOORAY!!

I guess i should've waited a couple minutes and tried again before my last post.

I am now able to see teh members and teh Security tab of teh offending group from within ADUC.  And i ran teh process on another group and it works now as well.

Thank you very much for your help and perseverance.

Phew, I was thinking we'd have to resort to VbScript which would have been depressing ;)

Chris