Solved

Add Access Rights to a Security or Distribution Group via Management Shell in Exchange 2013

Posted on 2013-07-01
10
2,225 Views
Last Modified: 2013-07-06
We are in the middle of a conversion to Exchange 2013 Standard from 2007.  With the new calendar features in OWA and some other training goals for our staff, we would like them to use their calendars and their associates calendars.  The majority of our staff's ONLY interaction is via OWA.  I'm trying to automate sharing of the calendar with everybody in a location for them (the associates who have needed this in the past, I have done manually in Outlook for them).

In trying to automate this task, I'm attempting to use Add-MailboxFolderPermission and it works great for one user.  It does not appear to accept a group (either security or distribution) as input to the -User parameter.

[PS] C:\>Add-MailboxFolderPermission -Identity SusieS@lmplay.com:\Calendar -AccessRights ReadItems -User SalesAssociates-Store4@lmplay.com

Open in new window


[PS] C:\>Add-MailboxFolderPermission -Identity SusieS@lmplay.com:\Calendar -AccessRights ReadItems -User "LMPLAY\SalesAssociates-Store4"

Open in new window


[PS] C:\>Add-MailboxFolderPermission -Identity SusieS@lmplay.com:\Calendar -AccessRights ReadItems -User "lmplay.com\SalesAssociates-Store4"

Open in new window



In all cases I get output:
The user "SalesAssociates-Store4@lmplay.com" is either not valid SMTP address, or there is no matching information.
    + CategoryInfo          : NotSpecified: (:) [Add-MailboxFolderPermission], InvalidExternalUserIdException
    + FullyQualifiedErrorId : C35EE919,Microsoft.Exchange.Management.StoreTasks.AddMailboxFolderPermission

Open in new window


Note, I'm still working on this in my test environment and have created both universal distribution groups and universal security groups to test with which mimic the names of my production groups.  The difference is the domain is lmplay.com vs my real one.
I have tried a few different versions based on both EE searches and general internet and find some scripts to do this one time.

We regularly have people move between locations, onboard, offboard, etc fairly frequently.  Sharing via group membership is key; an iterative or piped script which looks at group membership or OU membership and iterates and makes changes on every mailbox while that would work, it not ideal and not easily supportable.


Therefore, do I have a syntax issue above that I'm doing this wrong, or is the -user parameter of Add-MailboxFolderPermission cmdlet not going to support a group at all.
0
Comment
Question by:LappiMA
  • 6
  • 3
10 Comments
 
LVL 19

Assisted Solution

by:Patricksr1972
Patricksr1972 earned 25 total points
ID: 39290933
Hi

It is not a syntax error if you ask me, it involves one more step as you can read here. (i assume here exchange 2013 shows same behaviour with PS cmdlets as 2010 would)
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 25 total points
ID: 39290952
Are the groups mail enabled? If not then that is the problem. Exchange can only use mail enabled groups for permissions.

Simon.
0
 

Author Comment

by:LappiMA
ID: 39290983
The groups are mail enabled security groups with universal scope but the cmdlet still fails.

[PS] C:\Windows\system32>Get-DistributionGroup SalesAssociates-Bocage

Name                          DisplayName                   GroupType                     PrimarySmtpAddress
----                          -----------                   ---------                     ------------------
Sales Associates - Bocage     Sales Associates - Bocage     Universal, SecurityEnabled    SalesAssociates-Bocage@lmp...


[PS] C:\Windows\system32>

Open in new window

0
 

Author Comment

by:LappiMA
ID: 39291047
Update:  A new group worked just fine (that is, created through ECP).  

My test group does not have dashes in it, maybe that's a key?


[PS] C:\Windows\system32>Get-DistributionGroup SalesAssociates-Bocage

Name                          DisplayName                   GroupType                     PrimarySmtpAddress
----                          -----------                   ---------                     ------------------
Sales Associates - Bocage     Sales Associates - Bocage     Universal, SecurityEnabled    SalesAssociates-Bocage@lmp...


[PS] C:\Windows\system32>Get-DistributionGroup TestGroup1

Name                          DisplayName                   GroupType                     PrimarySmtpAddress
----                          -----------                   ---------                     ------------------
TestGroup1                    TestGroup1                    Universal, SecurityEnabled    TestGroup1@lmplay.com

[PS] C:\Windows\system32>Add-MailboxFolderPermission -Identity SusieS:\Calendar -AccessRights ReadItems -User "TestGroup
1@lmplay.com"

FolderName           User                 AccessRights
----------           ----                 ------------
Calendar             TestGroup1           {ReadItems}

[PS] C:\Windows\system32>

Open in new window



That would be a lot of groups to recreate and / or deal with nested membership properties with not to mention, tracking down what ACL's are applied to those groups (production wise, thinking outside of test).  Is there another property that might be lacking somewhere?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39291519
Do you have spaces in the aliases? That can stop things from working correctly.

Simon.
0
Integrate social media with email signatures

Is your company active on social media? Do you also use email signatures? Including social media icons in your email signature is a great way to get fans for free. Let all your email users know you’re on social media quickly and easily, in a single click.

 

Author Comment

by:LappiMA
ID: 39291562
No spaces in the alias; there are spaces in Display name of the main groups (but not the one I made for the above)

I'll have to try a few more of them and see.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39291574
Display name is just that -  a display name. It isn't used by Exchange for anything.
Aliases though can cause a problem. Were these groups converted from some other type in the past?

Simon.
0
 

Author Comment

by:LappiMA
ID: 39291600
They go back to our Exchange 2003 days and used to be Global Distribution Groups.  In exchange 2007 we had to migrate them to Universal groups.

Some of the newer ones (newer stores) started as Universal Distribution Groups until recently (last 8 or 9 months) and we changed them to be mail enabled Universal Security Groups.

We operate a single forest, single domain model; all DC's are in one site and all DC's are global catalogs so prior to Exchange 2007 we never used any universal groups but some of these go back.  

If I had to recreate and redo them, we are not talking the end of the world ACL wise just some (a lot) of painful time.
0
 

Accepted Solution

by:
LappiMA earned 0 total points
ID: 39292141
Progress (and partial soln)

Tried changing the alias on one of the groups and got a bunch of warnings about upgrading the group to the current version and cannot modify it using older management tools.  

Let it do that, and then try the Add-MailboxFolderPermission command again using the new alias....No problem.

Swapping the Alias' around is not ideal but at least now I know it can be done; I just need to find how to (and when) to migrate all the groups to the new format. I missed that step in my research and reading (and oddly, that doesn't seem to be an option in recipient migration that I see easily).

Patricksr1972 - the extra step in the post that you posted / referenced - I think that "hack" works because the new group they are making is the new format and they're adding an old one to it and utilizing group nesting.

On to researching more on groups now (and how group owners and all these new moderator options work)

--ML
0
 

Author Closing Comment

by:LappiMA
ID: 39303734
Found solution by trial & error and probing in different directions from ideas in the thread.
0

Featured Post

Free book by J.Peter Bruzzese, Microsoft MVP

Are you using Office 365? Trying to set up email signatures but you’re struggling with transport rules and connectors? Let renowned Microsoft MVP J.Peter Bruzzese show you how in this exclusive e-book on Office 365 email signatures. Better yet, it’s free!

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This article will help you understand what HashTables are and how to use them in PowerShell.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now