locked
Changing Group Type via PowerShell RRS feed

  • Question

  • Hello all, we have recently completed a migration from Exchange 2003 to Exchange 2007, and I'm working on changing the Type of a few groups. I dug around on the forums here, but couldn't locate any post/answer that answered these specific items. The groups are currently marked as Mail Non-Universal Groups, and we would like to convert them to Mail-Enabled Universal Distribution Groups. A few things:

    1) If I use the "Convert to Universal Group" button in EMC, the group is converted to a Mail-Enabled Universal Security Group rather than a Mail-Enabled Universal Distribution Group, which we do not want.
    2) If I use PowerShell, the conversion works - but only if the group is listed as a Distribution Group in ADUC (rather than a Security Group). The command I've been using is: [PS] C:\Windows\System32>set-group -id 'groupname' -universal:$True, which works fine if the group is a distribution group and not a security group.

    My questions are:

    1) Can I use PowerShell to change a group from a Mail-Enabled Universal Security Group to a Mail-Enabled Universal Distribution Group? If so, what would that PowerShell command look like?
    2) Can I use PowerShell to change a Mail Non-Universal Group (which is listed as a Security Group in AD, with email capabilities) into a Mail-Enabled Universal Distribution Group? If so, what would that PowerShell command look like?


    Hopefully what I'm getting at makes sense. I'm new to PowerShell and am trying to build a skillset and bank of cmdlets that I can use for everyday management.

    Thank You,
    Jason
    Monday, July 20, 2009 8:56 PM

Answers

  • For #1 Are you sure you want to do this?  You would loose any ACLs that are associated with that group.

    For #2 This Should Work:

    Get-Group  | Where {$_.GroupType -eq "Global"} | Set-Group -Universal


    Mike Crowley  A+, Network+, Security+, MCT, MCSE, MCTS, MCITP: Enterprise Administrator / Messaging Administrator

    • Proposed as answer by Mike Crowley Monday, July 20, 2009 10:48 PM
    • Marked as answer by Amit Tank Wednesday, July 22, 2009 7:57 AM
    Monday, July 20, 2009 10:48 PM
  • Yes, I agree with Mike on #1. You will get problems while delegating some MAPI permissions to distribution group if you covert security groups to distribution group. I would recommend not to convert it and use them as main-enabled universal security group.

    #2. Conversation is really required when migrating to Exchange 2007 in multi domain environment otherwise mails to Global group will be disappear. Refer blow article on why and how to convert them...

    Need to convert Global groups to Universal groups? Do you have messages to global groups disappearing?

    Amit Tank | MVP – Exchange Server | MCITP: EMA | MCSA: M | http://ExchangeShare.WordPress.com RSS

    • Marked as answer by Amit Tank Wednesday, July 22, 2009 7:57 AM
    Tuesday, July 21, 2009 3:06 AM
  • Yes, the link provided by Mike works. I have tested in the lab

    a.      Launch EMS

    b.      Run the cmdlets below

    $x=[adsi]"LDAP://cn=SecurityGroupName,ou=OUName,dc=Contoso,dc=com"

    $x.Put("groupType", "8")

    $x.setInfo()

    Notes: Please remember the [adsi]"LDAP part is uppercase sensitive

    Notes: As Mike and Amit have mentioned, it’s not recommended to do such modification. There may cause potential issue in the future  

    • Marked as answer by Amit Tank Wednesday, July 22, 2009 7:57 AM
    Tuesday, July 21, 2009 10:51 AM

All replies

  • For #1 Are you sure you want to do this?  You would loose any ACLs that are associated with that group.

    For #2 This Should Work:

    Get-Group  | Where {$_.GroupType -eq "Global"} | Set-Group -Universal


    Mike Crowley  A+, Network+, Security+, MCT, MCSE, MCTS, MCITP: Enterprise Administrator / Messaging Administrator

    • Proposed as answer by Mike Crowley Monday, July 20, 2009 10:48 PM
    • Marked as answer by Amit Tank Wednesday, July 22, 2009 7:57 AM
    Monday, July 20, 2009 10:48 PM
  • Here is more for #1, but I have not tried this: http://www.petri.co.il/forums/showthread.php?t=30331

    Mike Crowley  A+, Network+, Security+, MCT, MCSE, MCTS, MCITP: Enterprise Administrator / Messaging Administrator

    Monday, July 20, 2009 10:56 PM
  • Yes, I agree with Mike on #1. You will get problems while delegating some MAPI permissions to distribution group if you covert security groups to distribution group. I would recommend not to convert it and use them as main-enabled universal security group.

    #2. Conversation is really required when migrating to Exchange 2007 in multi domain environment otherwise mails to Global group will be disappear. Refer blow article on why and how to convert them...

    Need to convert Global groups to Universal groups? Do you have messages to global groups disappearing?

    Amit Tank | MVP – Exchange Server | MCITP: EMA | MCSA: M | http://ExchangeShare.WordPress.com RSS

    • Marked as answer by Amit Tank Wednesday, July 22, 2009 7:57 AM
    Tuesday, July 21, 2009 3:06 AM
  • I see that post uses "like" instead of "eq".  I would go with that as it seems more forgiving!

    Mike Crowley  A+, Network+, Security+, MCT, MCSE, MCTS, MCITP: Enterprise Administrator / Messaging Administrator

    Tuesday, July 21, 2009 4:43 AM
  • Yes, the link provided by Mike works. I have tested in the lab

    a.      Launch EMS

    b.      Run the cmdlets below

    $x=[adsi]"LDAP://cn=SecurityGroupName,ou=OUName,dc=Contoso,dc=com"

    $x.Put("groupType", "8")

    $x.setInfo()

    Notes: Please remember the [adsi]"LDAP part is uppercase sensitive

    Notes: As Mike and Amit have mentioned, it’s not recommended to do such modification. There may cause potential issue in the future  

    • Marked as answer by Amit Tank Wednesday, July 22, 2009 7:57 AM
    Tuesday, July 21, 2009 10:51 AM
  • Everyone,

     Thank you very much for the detailed responses. It would seem that it is inadvisable to convert groups from security to distribution for the reasons noted above. I don't believe any of these groups have any permissions to resources (directories,etc), but the fact that this could cause MAPI permissions issues later on is enough to give me pause.
     I think we'll convert to security groups as you all advise, and leave things at that. Thanks Again!

    EDIT: Amit Tank - I was wondering what program you use on your blog to highlight and place boxes around text in your screenshots. It looks like something a bit more powerful than Paint. I'd be interested to know as your screenshots are nicely highlighted with the various boxes/etc. Thanks. :)


    Jason
    Tuesday, July 21, 2009 12:50 PM
  • I'm not sure what Amit uses, but Snagit is what most people I know use...

    www.snagit.com

    Mike Crowley  A+, Network+, Security+, MCT, MCSE, MCTS, MCITP: Enterprise Administrator / Messaging Administrator

    Tuesday, July 21, 2009 4:23 PM
  • Yes Jason, I use SnagIt and FastStone Capture... :)

    Amit Tank | MVP – Exchange Server | MCITP: EMA | MCSA: M | http://ExchangeShare.WordPress.com RSS

    Tuesday, July 21, 2009 4:33 PM
  • Mike,

     I bet that's it. My IT coworkers use it but I've never really looked at it. Too stubborn I guess! :) I'll have to check it out, thanks.


    Jason
    Tuesday, July 21, 2009 5:05 PM