Поделиться через


Automatic converison of UDG in USG in Exchange 2007

Consider following scenario: Exchange 2007 SP2 in place and Outlook 2007 SP2. For the mail flow you configured previously with the old Exchange 2003 version a lot of Universal Distribution Groups (UDG) and mail-enable them. Now after your migration a new requirement comes from users and management: users should be able to assign MAPI permissions on their Public Folder folders and also on their Calendar folders. Actually it doesn’t make any difference on which folders those permission should be assigned. What matters is that those permissions should be assigned using the already created UDG. Now wait a minute… There is no dramatic change in Exchange 2007 in this direction and you still remember that only Security Groups can be used for permission assignment. And you also remember that in the old Exchange 2003 with Outlook 2003 environment, such a scenario had an automated component, in which assigning such permissions triggered automatically a conversion of the groups from Universal Distribution Groups to Universal Security Groups (USG).

For those who want to read more here is the official reference: https://support.microsoft.com/kb/843587/en-us . With Outlook 2003 Clients deployed and Exchange 2007, the automatic conversion takes place and everyone is happy. Just pick up from GAL the required group, and if this happened to be UDG it will be automatically converted, transparent from the user perspective, by the means of the Exchange Store process.

Unfortunately with Outlook 2007 in place the behavior is different. As far as I tested Outlook 2010 RC is also on the same side as Outlook 2007. With these new versions of Outlook the automatic conversion doesn’t take place any longer. In this situation the only possibility remains a manual conversion of the Universal Distribution Groups in Universal Security Groups, and then assigns the required Outlook permissions. We document automatic conversion problems for Outlook 2007 in the following article https://support.microsoft.com/kb/941318/en-us . For the moment no changes on the client side will take place to change the behavior.

In the process of manual conversion of an UDG to USG, please pay attention of a strange behavior that takes place, for each converted group: because of the manual conversion handling, the „msExchRecipientDisplayType“Attribute is not updated as expected in AD. As a consquence already converted UDG in USG are still showed (displayed) with a red Deny circle sign. Outlook 2007 will not be able to use those groups any further, although they are now the right USG, after conversion. In other words, in Outlook GAL, when you try again to assign permission for the required UDG, already manually converted to USG, those are displayed with the red deny sign. Fortunately there is a way to overcome this: just open Exchange Management Shell and for the converted USG run the following cmdlet ("set-distributiongroup") to update the attribute accordingly. You don’t have to specify any parameter, just the ID one.

For example: Set-DistributionGroup –id:Test1Group

Now you will be able to use those groups for assigning Outlook permissions. Of course don’t forget about AD replication and OAB generation in order to see the updated status of those groups.

Comments