Let's convert Mail Distribution Group to Mail Enabled Security Group.
Оpen ADUC and take properties of the Group, then change the Group type from Distribution
to Security
Now in Exchange Admin Center we have a Mail Universal Security Group instead of a Mail Universal Distribution Group
Let’s use this group to set permissions. Start Outlook and add this group to set permissions to my Calendar folder.
Add this group to the Calendar folder and press ok.
If you see the Deny circle sign on the distribution group
You receive an error message in Outlook when you try to set permissions for a distribution group on a mailbox folder in Exchange Server
Check the SecurityPrincipal on the group
Get-SecurityPrincipal -Identity <DistributionGroupId>
The RecipientTypeDetails shows MailUniversalSecurityGroup - correct.
Running the command:
Set-DistributionGroup -Identity <DistributionGroupId>
Members can’t remove themselves from security groups. Please set the group to Closed for requests to leave.
Running the following command:
Set-Distributiongroup –identity <DistributionGroupId> –MemberDepartRestriction Closed
After running the above powershell command, we able to use this group in Outlook to assign permission to Exchange objects.
Conclusion
When converting from UDG to USG AD attribute "msExchRecipientDisplayType" may not be updated.
Then we will see in outlook Deny circle sign on this group and we will not use it to set permissions.
Then we will see in outlook Deny circle sign on this group and we will not use it to set permissions.
So make sure you have set the MemberJoin/DepartRestriction of your Distribution Group to Closed before converting it to a Security Group.
Solution for Exchange 2010/2013
Open ADUC and change the Group Type for your group from Distribution to Security.
Set-ADGroup -Identity <DistributionGroupId> -GroupCategory:Security
Start Exchange Powershell and run the following command:
Set-Distributiongroup –identity <DistributionGroupId> –MemberDepartRestriction Closed
It is also called man in the middle attack and it is still widely used because it is hard to prevent. User is, using social engineering, easily tricked into installing malicious software which enables full control to the attacker.
ReplyDeleteSerious Security CCTV Bayswater
Thanks for the comment.
DeleteIn this note, we are talking about changing UDG to USG in MS Exchange
Is this still relevant for office 365?
ReplyDeleteIn the Office 365 we can't convert mail distribution group to mail enabled security group, yet.
DeleteIn office 365 you must delete the DG, create the SG.