Tuesday, September 23, 2008

"Tickling" GC Re-evaluation for Groups via "Set-DistributionGroup"

In an earlier post, I discussed having to use a set-mailbox command to "tickle" Exchange to force it to update custom Address List membership based upon changes made directly to Active Directory. I've now discovered that a similar action is required to update Distribution Group status in the Global Catalog when the group is converted to a mail-enabled security group in ADUC.

As discussed in KB 941318, a Distribution Group cannot be added to Exchange folder sharing permissions via Outlook 2007 against an Exchange 2007 server. When the Distribution Group appears in the GAL selection list, a prohibition icon appears next to the name, and attempting to add it to the DACL results in the following error:

One or more users cannot be added to the folder access list. Non-local users cannot be given rights on this server.

Of course, the solution is to convert the Distribution Group into a mail-enabled Security Group.  Earlier versions of the Outlook/Exchange combo handled this conversion automatically.  Why this functionality has been removed, I haven't a clue, but the fact remains that we now have to perform this conversion automatically.

Of course, my first instinct when I encountered this was to make the change in Active Directory Users & Computers.  All fine and dandy, except that the prohibition symbol didn't go away, and the group still could not be added.  It seems that performing this conversion outside of the scope of Exchange tools doesn't prod Exchange into noticing the change and changing the GAL entry accordingly. This seems to be the case despite the fact that the information returned by a Get-DistributionGroup command reflects the fact that the group has been converted.  Issuing a Set-DistributionGroup command with no arguements other than the group name seems to fix this.

Keep in mind that the Exchange Management Console provides no tool for performing this conversion, nor does (as far as I can find) Exchange Management Shell.

No comments: