none
can not edit mail non-universal group

    Question

  • Hi all,

    After moving from Exchange 2003 to Exchange 2010, the previous distribution groups become mail non-universal groups and greyed out.  i can not edit them anymore.

    Some DGs contains some distribution groups or secutiry groups.

    I can not create  nested distribution groups anymore in Exchange 2010.

    How can I make them not greyout and I am ble to edit them?

    Thank you.

     

    Thursday, August 04, 2011 2:25 PM

Answers

  • Hi John,

    Thank you for your time and help.

    Tried the above and still get the same message: "A global group cannot have a universal group as a member"

    What migh I miss?

    Thank you!


    Hi John,

    Please check if you have universal group as member for the global group.  If yes, then you have to remove it and then try to convert the group to universal.

    Group scope

    http://technet.microsoft.com/en-us/library/cc755692(WS.10).aspx

    Xiu


    Thursday, August 11, 2011 3:28 AM
  • You will need to convert all distribution or email enabled security groups to Universal groups.  You can do this in the Exchange EMC by right-clicking on the group and select "Convert to Universal Group".  If you have nested groups, you will need to convert the nested groups first.
    Tim Harrington | MVP: Exchange | MCITP: EMA 2007/2010, MCITP: Lync 2010, MCITP: Server 2008, MCTS: OCS | Blog: http://HowDoUC.blogspot.com | Twitter: @twharrington
    Thursday, August 04, 2011 2:56 PM
  • Hi,
    When I had a large number of groups to convert I run the code below. Not it was checking for groups which wheren't mail enabled. ... You could change mail -notlike "*" to mail -like "*" if you wanted to convert all groups.
    Import-Module ActiveDirectory
    
    $GroupsToMod = @(Get-ADGroup -Filter {(mail -notlike "*")} -SearchBase 'OU=Staff,OU=Groups,OU=Live,DC=domain,DC=co,DC=uk' -Properties mail )
    
    ForEach ($Group in $GroupsToMod){
    
      Get-ADGroup $Group | Set-ADGroup -GroupScope Universal -PassThru | Select DistinguishedName,Name,Group*
    
    }
    
    
    J
    Thursday, August 04, 2011 3:11 PM

All replies

  • You will need to convert all distribution or email enabled security groups to Universal groups.  You can do this in the Exchange EMC by right-clicking on the group and select "Convert to Universal Group".  If you have nested groups, you will need to convert the nested groups first.
    Tim Harrington | MVP: Exchange | MCITP: EMA 2007/2010, MCITP: Lync 2010, MCITP: Server 2008, MCTS: OCS | Blog: http://HowDoUC.blogspot.com | Twitter: @twharrington
    Thursday, August 04, 2011 2:56 PM
  • Hi,
    When I had a large number of groups to convert I run the code below. Not it was checking for groups which wheren't mail enabled. ... You could change mail -notlike "*" to mail -like "*" if you wanted to convert all groups.
    Import-Module ActiveDirectory
    
    $GroupsToMod = @(Get-ADGroup -Filter {(mail -notlike "*")} -SearchBase 'OU=Staff,OU=Groups,OU=Live,DC=domain,DC=co,DC=uk' -Properties mail )
    
    ForEach ($Group in $GroupsToMod){
    
      Get-ADGroup $Group | Set-ADGroup -GroupScope Universal -PassThru | Select DistinguishedName,Name,Group*
    
    }
    
    
    J
    Thursday, August 04, 2011 3:11 PM
  • Hi,

    In Exchange 2007, you can create or mail-enable only universal distribution groups. So you need to convert it to universal (security) group.

    Managing Distribution Groups

    http://technet.microsoft.com/en-us/library/bb125256(EXCHG.80).aspx

    Xiu

    Friday, August 05, 2011 7:30 AM
  • Hi John,

    When I tried, I change notlike to like*

    I got this error: "A global group cannot have a universal group as a member" and this error shows when I manaully convert them to universal in

    EMC.

    I have about 500 distribution groups to convert.

     

    How should I fix the above message?

    Thank you.

    Friday, August 05, 2011 2:14 PM
  • Hi,

    You need to ensure the members of the group are also Universal groups. If you are changing the type of all the groups in a OU I could give you some code to do all groups, then if there are "members of members" type issues you could just run it a couple of times?

    J

    Friday, August 05, 2011 2:18 PM
  • Hi John,

    Thanks for your quick help. 

    >If you are changing the type of all the groups in a OU I could give you some code to do all groups,


    That woulb be great.  Yes, I am changing all the groups in one OU.  can you send me the script?

    BTW, can we do all groups with mail enabled in the whole domain dc=company,dc=local?

    Thank you for your sharing and help.

     

    Friday, August 05, 2011 2:34 PM
  • Ok.

    So I’d use the code above and run it a couple of times, just it will error groups with group membership but the first pass will change the scope of the child group and the second should change the scope of the parent group. This is a lazy approach but I want to get you the code to create the DG’s ;o)

    Once you have your groups at Universal level you can make DG’s

    I use the code below to batch create DG's with prefixed names or email addresses

    Import-Module ActiveDirectory
    Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010
    
    Connect-ExchangeServer -auto
    
    $GroupsWithOutEmails = @(Get-ADGroup -Filter {(mail -notlike "*")} -SearchBase 'OU=Staff,OU=Groups,OU=Live,DC=domain,DC=co,DC=uk' -Properties mail )
    
    
    ForEach ($GroupsWithOutEmail in $GroupsWithOutEmails){
      $Alias = $GroupsWithOutEmail.Name.Replace(" ","")
      $SimpleName = $Alias.Replace("_","")
      $Identity = $GroupsWithOutEmail.DistinguishedName
      $PrettyName = "StaffGroup - All " + $GroupsWithOutEmail.Name + " Staff"
      $PrettyeMailAddress = "SMTP:StaffGroup_" + $Alias + "@domain.co.uk"
      
      Write-Host $Alias $Identity $PrettyName $PrettyeMailAddress
    
      Enable-DistributionGroup -Identity $Identity -Alias $Alias
      
      
      Set-DistributionGroup -Identity $Identity -DisplayName $PrettyName -EmailAddressPolicyEnabled $false -EmailAddresses $PrettyeMailAddress -SimpleDisplayName $SimpleName
    }
    
    
    There's some code in there to get around some of our groups which had "_" in them and Exchange didn't like. If you just want enalbe the groups as DG's then remove the "Set-DistributionGroup" line

    Is that any help?

    J

    Friday, August 05, 2011 3:11 PM
  • Hi John,

    This is great help and unforunately, I do not know scripts much.

     $Alias = $GroupsWithOutEmail.Name.Replace(" ","")
      $SimpleName = $Alias.Replace("_","")
      $Identity = $GroupsWithOutEmail.DistinguishedName
      $PrettyName = "StaffGroup - All " + $GroupsWithOutEmail.Name + " Staff"
      $PrettyeMailAddress = "SMTP:StaffGroup_" + $Alias + "@domain.co.uk"
    __________

    I just check all distributuions groups and they all format like alias@company.com

    Not sure If I use the above the script, will DGs SMTP address change?

    Thank you.

    Friday, August 05, 2011 3:23 PM
  • Hi,

    I've got to leave site in a mo and I has a little thik about how I'd do this the non lazy way ;o)

    I'd suggest to step in the PowerShell ISE as I don't have a enviroment to hand to test on.

     

    Import-Module ActiveDirectory
    Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010
    
    Connect-ExchangeServer -auto
    
    
    $Groups = @(Get-ADGroup -Filter {(name -like "*")} -SearchScope Subtree -SearchBase "OU=Staff,OU=Groups,OU=Live,DC=domain,DC=co,DC=uk")
    
    Function Get-GroupGroups(){
    Param($GroupName,$NewGroup)
      $SubGroups = @(Get-ADGroupMember $GroupName | Where-Object {$_.objectClass -eq "group"})
      ForEach ($SubGroup in $SubGroups){
        Write-Host "Working on $($Group.Name)"
        Get-ADGroup $SubGroup | Set-ADGroup -GroupScope Universal -PassThru
        Enable-DistributionGroup -Identity $SubGroup.DistinguishedName -Alias $SubGroup.Name
      }
    
    }
    
    ForEach ($Group in $Groups){
      Write-Host "Working on $($Group.Name)"
      Get-GroupGroups $Group.Name
      Get-ADGroup $Group | Set-ADGroup -GroupScope Universal -PassThru
      Enable-DistributionGroup -Identity $Group.DistinguishedName -Alias $Group.Name
    }
    
    

    Good luck

    Friday, August 05, 2011 3:24 PM
  • Your address policy should put the correct addresses for your organization so if you leave out the "Set-DistributionGroup "
    Friday, August 05, 2011 3:25 PM
  • Hi John,

    Thank you for your time and help.

    Tried the above and still get the same message: "A global group cannot have a universal group as a member"

    What migh I miss?

    Thank you!

    Friday, August 05, 2011 5:11 PM
  • Hi John,

    Thank you for your time and help.

    Tried the above and still get the same message: "A global group cannot have a universal group as a member"

    What migh I miss?

    Thank you!


    Hi John,

    Please check if you have universal group as member for the global group.  If yes, then you have to remove it and then try to convert the group to universal.

    Group scope

    http://technet.microsoft.com/en-us/library/cc755692(WS.10).aspx

    Xiu


    Thursday, August 11, 2011 3:28 AM