Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies. Only from Platform Scholar.
COURSE of the MONTH
11 days, 3 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
Add Access Rights to a Security or Distribution Group via Management Shell in Exchange 2013
Posted on 2013-07-01
We are in the middle of a conversion to Exchange 2013 Standard from 2007. With the new calendar features in OWA and some other training goals for our staff, we would like them to use their calendars and their associates calendars. The majority of our staff's ONLY interaction is via OWA. I'm trying to automate sharing of the calendar with everybody in a location for them (the associates who have needed this in the past, I have done manually in Outlook for them).
In trying to automate this task, I'm attempting to use Add-MailboxFolderPermissio
In all cases I get output:
Note, I'm still working on this in my test environment and have created both universal distribution groups and universal security groups to test with which mimic the names of my production groups. The difference is the domain is lmplay.com vs my real one.
I have tried a few different versions based on both EE searches and general internet and find some scripts to do this one time.
We regularly have people move between locations, onboard, offboard, etc fairly frequently. Sharing via group membership is key; an iterative or piped script which looks at group membership or OU membership and iterates and makes changes on every mailbox while that would work, it not ideal and not easily supportable.
Therefore, do I have a syntax issue above that I'm doing this wrong, or is the -user parameter of Add-MailboxFolderPermissio
In trying to automate this task, I'm attempting to use Add-MailboxFolderPermissio
[PS] C:\>Add-MailboxFolderPermission -Identity SusieS@lmplay.com:\Calendar -AccessRights ReadItems -User SalesAssociates-Store4@lmplay.com
[PS] C:\>Add-MailboxFolderPermission -Identity SusieS@lmplay.com:\Calendar -AccessRights ReadItems -User "LMPLAY\SalesAssociates-Store4"
[PS] C:\>Add-MailboxFolderPermission -Identity SusieS@lmplay.com:\Calendar -AccessRights ReadItems -User "lmplay.com\SalesAssociates-Store4"
In all cases I get output:
The user "SalesAssociates-Store4@lmplay.com" is either not valid SMTP address, or there is no matching information.
+ CategoryInfo : NotSpecified: (:) [Add-MailboxFolderPermission], InvalidExternalUserIdException
+ FullyQualifiedErrorId : C35EE919,Microsoft.Exchange.Management.StoreTasks.AddMailboxFolderPermission
Note, I'm still working on this in my test environment and have created both universal distribution groups and universal security groups to test with which mimic the names of my production groups. The difference is the domain is lmplay.com vs my real one.
I have tried a few different versions based on both EE searches and general internet and find some scripts to do this one time.
We regularly have people move between locations, onboard, offboard, etc fairly frequently. Sharing via group membership is key; an iterative or piped script which looks at group membership or OU membership and iterates and makes changes on every mailbox while that would work, it not ideal and not easily supportable.
Therefore, do I have a syntax issue above that I'm doing this wrong, or is the -user parameter of Add-MailboxFolderPermissio
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
-
6
3
10 Comments
Active 3 days ago
Are the groups mail enabled? If not then that is the problem. Exchange can only use mail enabled groups for permissions.
Simon.
Simon.
The groups are mail enabled security groups with universal scope but the cmdlet still fails.
[PS] C:\Windows\system32>Get-DistributionGroup SalesAssociates-Bocage
Name DisplayName GroupType PrimarySmtpAddress
---- ----------- --------- ------------------
Sales Associates - Bocage Sales Associates - Bocage Universal, SecurityEnabled SalesAssociates-Bocage@lmp...
[PS] C:\Windows\system32>
Update: A new group worked just fine (that is, created through ECP).
My test group does not have dashes in it, maybe that's a key?
That would be a lot of groups to recreate and / or deal with nested membership properties with not to mention, tracking down what ACL's are applied to those groups (production wise, thinking outside of test). Is there another property that might be lacking somewhere?
My test group does not have dashes in it, maybe that's a key?
[PS] C:\Windows\system32>Get-DistributionGroup SalesAssociates-Bocage
Name DisplayName GroupType PrimarySmtpAddress
---- ----------- --------- ------------------
Sales Associates - Bocage Sales Associates - Bocage Universal, SecurityEnabled SalesAssociates-Bocage@lmp...
[PS] C:\Windows\system32>Get-DistributionGroup TestGroup1
Name DisplayName GroupType PrimarySmtpAddress
---- ----------- --------- ------------------
TestGroup1 TestGroup1 Universal, SecurityEnabled TestGroup1@lmplay.com
[PS] C:\Windows\system32>Add-MailboxFolderPermission -Identity SusieS:\Calendar -AccessRights ReadItems -User "TestGroup
1@lmplay.com"
FolderName User AccessRights
---------- ---- ------------
Calendar TestGroup1 {ReadItems}
[PS] C:\Windows\system32>
That would be a lot of groups to recreate and / or deal with nested membership properties with not to mention, tracking down what ACL's are applied to those groups (production wise, thinking outside of test). Is there another property that might be lacking somewhere?
Active 3 days ago
Do you have spaces in the aliases? That can stop things from working correctly.
Simon.
Simon.
No spaces in the alias; there are spaces in Display name of the main groups (but not the one I made for the above)
I'll have to try a few more of them and see.
I'll have to try a few more of them and see.
Active 3 days ago
Display name is just that - a display name. It isn't used by Exchange for anything.
Aliases though can cause a problem. Were these groups converted from some other type in the past?
Simon.
Aliases though can cause a problem. Were these groups converted from some other type in the past?
Simon.
They go back to our Exchange 2003 days and used to be Global Distribution Groups. In exchange 2007 we had to migrate them to Universal groups.
Some of the newer ones (newer stores) started as Universal Distribution Groups until recently (last 8 or 9 months) and we changed them to be mail enabled Universal Security Groups.
We operate a single forest, single domain model; all DC's are in one site and all DC's are global catalogs so prior to Exchange 2007 we never used any universal groups but some of these go back.
If I had to recreate and redo them, we are not talking the end of the world ACL wise just some (a lot) of painful time.
Some of the newer ones (newer stores) started as Universal Distribution Groups until recently (last 8 or 9 months) and we changed them to be mail enabled Universal Security Groups.
We operate a single forest, single domain model; all DC's are in one site and all DC's are global catalogs so prior to Exchange 2007 we never used any universal groups but some of these go back.
If I had to recreate and redo them, we are not talking the end of the world ACL wise just some (a lot) of painful time.
Progress (and partial soln)
Tried changing the alias on one of the groups and got a bunch of warnings about upgrading the group to the current version and cannot modify it using older management tools.
Let it do that, and then try the Add-MailboxFolderPermissio
Swapping the Alias' around is not ideal but at least now I know it can be done; I just need to find how to (and when) to migrate all the groups to the new format. I missed that step in my research and reading (and oddly, that doesn't seem to be an option in recipient migration that I see easily).
Patricksr1972 - the extra step in the post that you posted / referenced - I think that "hack" works because the new group they are making is the new format and they're adding an old one to it and utilizing group nesting.
On to researching more on groups now (and how group owners and all these new moderator options work)
--ML
Tried changing the alias on one of the groups and got a bunch of warnings about upgrading the group to the current version and cannot modify it using older management tools.
Let it do that, and then try the Add-MailboxFolderPermissio
Swapping the Alias' around is not ideal but at least now I know it can be done; I just need to find how to (and when) to migrate all the groups to the new format. I missed that step in my research and reading (and oddly, that doesn't seem to be an option in recipient migration that I see easily).
Patricksr1972 - the extra step in the post that you posted / referenced - I think that "hack" works because the new group they are making is the new format and they're adding an old one to it and utilizing group nesting.
On to researching more on groups now (and how group owners and all these new moderator options work)
--ML
Featured Post
Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Recently we ran in to an issue while running some SQL jobs where we were trying to process the cubes. We got an error saying failure stating 'NT SERVICE\SQLSERVERAGENT does not have access to Analysis Services. So this is a way to automate that wit…
Unified and professional email signatures help maintain a consistent company brand image to the outside world. This article shows how to create an email signature in Exchange Server 2010 using a transport rule and how to overcome native limitations …
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center.
Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center.
Navigate to the Mail Flow…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
Suggested Courses
Course of the Month11 days, 3 hours left to enroll
770 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.