[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

UnHide Group Membership in Exchange 2007

Posted on 2009-05-11
23
Medium Priority
?
2,129 Views
Last Modified: 2012-05-06
I have a single Exchange 2007 server, migrated from 2003.  The Exchange 2003 Server is removed and gone.

It appeard that there where some Groups from Exchange 2003 that had their Membership Hidden, and as a result, i cannont see the member ship, nor change permissions, with Active Directory Users and Computers (ADUC).

Is there a way to UnHide/Correct the permissions for these groups?  From Exchange 2007, Powershell, VBScript, or anything else?

Let me know if more info is needed.

Thanks

0
Comment
Question by:tsprouse
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 11
  • 11
23 Comments
 
LVL 9

Expert Comment

by:athelu
ID: 24357485
Is it hidden from both OWA and Outlook?
0
 

Author Comment

by:tsprouse
ID: 24357638
The Group Itself is not Hidden, just the Membership of the group.

For example, i can go into ADUC and open teh properties of the group, and though i know the group does have members, no members show up in the"Members" tab.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24357923

Is the group in the same domain as the users? And if not, is it Universal? Universal Group membership can only be fully enumerated in the Global Catalog unless the members are in the same domain within a Forest.

Otherwise, how do you know it has members if you can't see any? Is security on the group restrictive and preventing you seeing the "member" attribute?

Chris
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 

Author Comment

by:tsprouse
ID: 24357984
Yes, its is in the same Domain (Only one Domain).  its a Security Group - Universal (Mail-Enabled)

If i send email to teh Group, people get the email.

Also, if i go to the Security tab in ADUC, i get the message...

"Windows Can Not Edit the permissions on <group name> because the have been written in a non-standard format by another application.  To enable editing, you must use the application to restore the permissions to a standard format."

If i hit ok, i can see all teh permissions, but not edit anything.  the one that looks out of place in "Everyone" is set to Special Access.  Clicking the Advanced button and digging deeper reveales that Everyone is set to Deny - Read Members.

I search the GoogleSphere it looks like this is related to it having the Members hidden, something that could be done in Exchange 2003 (and prior?).

0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24358096

Yeah... have you tried setting the permissions back to default?

Are there a lot of these?

Chris
0
 

Author Comment

by:tsprouse
ID: 24358223
I have not tried setting back to default, since i am not certain i know what the default is.  there appear to be quite a number of other allowed permissions on these objects (i'm not sure how many are effected), most of teh other permissions seemed to be Exchange related.

Also, it seems teh "Restore Defaults" button is greyed out.  I've attached a screen shot...
scrnsht.jpg
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24358444

Hmmm well permissions are normally set correctly higher up the tree so that they inherit to objects properly. You could always try resetting inheritance on one of the groups to see if it gets a working set.

Chris
0
 

Author Comment

by:tsprouse
ID: 24358572
agreed, but unlike Windows Folder security properties, there is not a "Replace Security on Child Object" check box on the parent OU.  just a "Include inheritable permissions from this objects parent" box.

Some forums i found have mentioned to remove the "Hide Membership" setting from the group from with Exchange (2000/2003).  but that option is no longer available, as far as i can see, in Exchange 2007.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24358700

Yeah, I know, but it still exists, just a pain it isn't exposed.

It should be possible to modify the security using PowerShell. Fancy giving that a shot?

Chris
0
 

Author Comment

by:tsprouse
ID: 24358715
i'm relativly comfortable in powershell, jsut could find how to do this.  With guidance, i'd certainly consider giving it a shot.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24358760

Excellent :)

Then this would be worth a shot (afraid I have nothing to test on here).

$Group = [ADSI]"LDAP://CN=group,OU=somewhere,DC=yourdomain,DC=com"
$Security = $Group.PsBase.objectSecurity
# Set dACLProtected (blocks Inheritance) to False, and Preserve rules to True
$Security.SetAccessRuleProtection($False, $True)
$Group.PsBase.CommitChanges()

Chris
0
 

Author Comment

by:tsprouse
ID: 24358859
Done, got no errors, see screen shot.  But still same result in ADUC.  all security is greyed out.

Ran this from my workstation in an eleveated PowerShell (win 7 rc1).  Also Ran from Exchange 07 (Server 2k3 x64 sp2) Powershell, same results.


scrnsht.jpg
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24358984

Is Exchange 2007 able to read the descriptor with:

Get-ADPermission "GroupName"

If so, we might be able to use that to correct it. Can't quite remember if that exposes inheritance though.

Chris
0
 

Author Comment

by:tsprouse
ID: 24359057
Yes, Confirmed, but as i mentions there are alot of entries.  

Apologies, but i have to head to a different building, and may not be back at my desk today.  But will be back in the AM (about 7:30est) if you're available after that, i would appreciate working with you further if you have more ideas.

here are a few of the entries listed from teh Get-ADPermissions command....
sc.jpg
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24359083

No worries, I'll catch you tomorrow. I'll be at work and will have a bit more of an environment to test on :)

Interesting, it's showing a few as inherited there.

Can you see the full set of inherited? This should do it...

Get-ADPermission "GroupName" | ?{ $_.Inherited -eq $True }

We could just remove the Everyone Deny permission for now. I'll check the syntax in the morning and post it up.

Chris
0
 

Author Comment

by:tsprouse
ID: 24363353
attached are the full results of the get-adpermissions command.

RTC entries are for Office Communications Server
Unity are for voicemail

Groups that behave normally are very similar, with the exception of teh Everyone group being deined Read Members.

get-ADpermission.txt
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24363614

Yeah, it's very similar to mine. Do you want to remove that Everyone Deny right?

Get-ADPermission "GroupName" -User "Everyone" -Access ReadProperty | Remove-ADPermission

The pipe is the easiest way to capture the entry otherwise you have to specify rather a lot for Remove-ADPermission.

Chris
0
 

Author Comment

by:tsprouse
ID: 24363806
it didnt like the -access flag, i tried without it, and it gave me an error...

"Remove-ADPermission : The ACL for the object "CN=_Executive Staff,OU=Distribution Groups,DC=ambsteel,DC=com" is not in canonical order (Deny/Allow/Inherited) and will be ignored."
sc.jpg
0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 2000 total points
ID: 24364274

Hmmm objectSecurity has a property for that. It should say the same:

$Group = [ADSI]"LDAP://CN=group,OU=somewhere,DC=yourdomain,DC=com"
$Group.PsBase.objectSecurity.AreAccessRulesCanonical

We could try setting a new ACL using a known-good object as a template? e.g.

$GoodGroup = [ADSI]"LDAP://CN=Good Group,OU=somewhere,DC=yourdomain,DC=com"
$GoodSDDL = $GoodGroup.PsBase.objectSecurity.GetSecurityDescriptorSddlForm("Access")

$BadGroup = [ADSI]"LDAP://CN=Bad Group,OU=somewhere,DC=yourdomain,DC=com"
$BadGroup.PsBase.objectSecurity.SetSecurityDescriptorSddlForm($GoodSDDL, "Access")
$BadGroup.PsBase.CommitChanges()

Difficult to find something to re-order the existing ACL without resorting to C++.

Chris
0
 

Author Comment

by:tsprouse
ID: 24364347
$Group.PsBase.objectSecurity.AreAccessRulesCanonical  comes back False.

after running the second list of commands, i still get the same error ont eh Group in ADUC and cant see the members.


sc.jpg
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24364422

No error from commit changes? I'm surprised.

Presumably AreAccessRulesCanonical still shows False? And Get-ADPermisssion still shows the deny?

Chris
0
 

Author Comment

by:tsprouse
ID: 24364499
No Actually.

HOORAY!!

I guess i should've waited a couple minutes and tried again before my last post.

I am now able to see teh members and teh Security tab of teh offending group from within ADUC.  And i ran teh process on another group and it works now as well.

Thank you very much for your help and perseverance.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24364533

Phew, I was thinking we'd have to resort to VbScript which would have been depressing ;)

Chris
0

Featured Post

Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Are you an Exchange administrator employed with an organization? And, have you encountered a corrupt Exchange database due to which you are not able to open its EDB file. This article will explain all the steps to repair corrupt Exchange database.
This month, Experts Exchange sat down with resident SQL expert, Jim Horn, for an in-depth look into the makings of a successful career in SQL.
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question