Exchange 2010 Unable to Assign Full Access Permissions using a Security Group
I've been running into this issue lately. I cannot seem to use groups to allow full access to mailboxes. When I add them from the EMC, it will show up when you go to "Manage Full Access Permission...". After waiting a day and even restarting the Information Store service, the permissions do not take effect. When I view the msExchDelegateListLink attribute of the mailbox account, the group is not listed. When I grant a user full permission, it works and updates the attribute. However, on occasion when I revoke the full access permission for a user is doesn't always remove that user from the msExchDelegateListLink attribute. So the mailbox will still appear in Outlook, but the user isn't able to see new emails. Any ideas on what may be going wrong? Environment: Exchange Server 2010 SP1 Standard Windows Server 2008 R2 Standard Outlook 2010 SP1 (tried without SP1 as well) I was looking over Add-MailboxPermission on Technet (http://technet.microsoft.com/en-us/library/bb124097.aspx) and I noticed that it doesn't mention adding groups. Is this not possible?
July 6th, 2011 8:42am

This is just a guess, try mail-enabling the security group.Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
Free Windows Admin Tool Kit Click here and download it now
July 6th, 2011 11:49am

Just tried that. I tried switching it to a universal group first which didn't work. This hasn't worked yet either. The group shows up when I run Get-MailboxPermission -identity "mailboxname" as it did before.
July 6th, 2011 3:32pm

That didn't appear to work even after a restart of the Information Store service. I even tried removing the group and adding it back. Still no luck. It does show up when running Get-MailboxPermission -identity "mailboxname". It just doesn't show up in Outlook. I've also tred deleting and recreating the Outlook profile. Any other ideas?
Free Windows Admin Tool Kit Click here and download it now
July 7th, 2011 7:29am

Hi wchar_t, I test in my lab (Exchange 2010 SP1), get the same result as you. If you only want members (in this security group) to have full access permission on the mailbox, you can use this command to achieve the goal: Get-DistributionGroupMember “Test Group” | foreach-Object { Add-MailboxPermission “Usermailbox” –AccessRights FullAccess –user $_.Name} Note: “Test Group” is a mail-enabled security group Thanks, Evan Liu TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com
July 7th, 2011 7:41am

I appreciate the PS script to get this done. Is there any reaason groups shouldn't work? I had this issue prior to SP1 as well. I just didn't have a strong need like I do now. I really don't want to assign permissions by user as that isn't best practice. Thanks.
Free Windows Admin Tool Kit Click here and download it now
July 7th, 2011 7:44am

Since we have SA, I have opened a case with MS. But I'm still open to ideas from the forums. :)
July 7th, 2011 7:53am

Hi, I have experienced exactely same issue at a client place. Exchange 2010 SP1 within a DAG Windows Server 2008 R2 SP1 Outlook 2010 If i apply full access permission to an user, it works. If i apply full access permission to a security group, it never applies. Thanks to keep us updated about your case. Samir
Free Windows Admin Tool Kit Click here and download it now
July 7th, 2011 10:57am

I will definitely update this thread when I hear back from them. ~1 business day or so.
July 7th, 2011 10:59am

Hope MS will give you an answer :) Thanks!
Free Windows Admin Tool Kit Click here and download it now
July 7th, 2011 11:19am

Hi! Any update concerning the issue?
July 11th, 2011 6:12am

Heard back from MS, but nothing new to report. Made them aware of this thread and what has been tried already. I'll post back when I hear something from them
Free Windows Admin Tool Kit Click here and download it now
July 11th, 2011 7:37am

Any news?
July 14th, 2011 3:04am

Hi wchar_t, Do you get any information now? I got a same issue, I can apply full access permission to a user, but cannot to a security group. Could you share us your solution? Thanks, smart
Free Windows Admin Tool Kit Click here and download it now
July 18th, 2011 9:21pm

No news yet. The last suggestion was to add the mailbox to the "additional mailboxes" section in the mail profile. This failed as well with the error "Cannot expand the folder". Still waiting on a reply.
July 19th, 2011 8:56am

Add-AdPermission -Identity "User Mailbox login account Name" -User "Universal security group" -AccessRights readproperty, writeproperty _properties "Personal Information" Get-Mailbox -Identity "User Mailbox Name" | Add-MailboxPermission -User "Universal security group" -AccessRights fullaccess Can you try this
Free Windows Admin Tool Kit Click here and download it now
July 19th, 2011 10:08am

This thread points clearly a bug...
July 21st, 2011 7:51am

The MS rep I'm working with is finally able to reproduce the issue in his test environment. He has asked me to install Exchange 2010 RU4 for SP1. http://www.microsoft.com/download/en/details.aspx?id=26910 I haven't done this yet, so I'm not sure that it will fix anything. I didn't see this specific bug listed.
Free Windows Admin Tool Kit Click here and download it now
July 28th, 2011 7:17am

Hi Read this before you go for update SP1 RU4 http://blogs.technet.com/b/exchange/archive/2011/07/13/exchange-2010-sp1-ru4-removed-from-download-center.aspx Dont do the availble version now, update version will release by Aug and try to install that
July 28th, 2011 7:31am

Per MS support: I would like to explain that Exchange 2010 SP1 RU4 was re-released on 7/27. This updated release of Exchange 2010 SP1 Rollup 4 can be download safely.
Free Windows Admin Tool Kit Click here and download it now
July 29th, 2011 7:47am

Yes. New rerelease happened yesterday for RU4, I get the information today from my friend :) you can proceed as MS tech informed
July 29th, 2011 8:20am

Installed RU4 v2 without any issues. The problem still exists as I suspected it would. Little frustrating playing email tag with MSFT support.
Free Windows Admin Tool Kit Click here and download it now
August 5th, 2011 9:30am

Thanks for the updates wchar_t! I have been experiencing the same issue and it’s been driving me nuts. I’m surprised that there isn’t more of an uproar over this problem, unless it only happens in very specific EX2010 setups? Personally we migrated from Exchange 2003 to 2010 in this manner: · All Servers are VMware ESX 3.5 Virtual Machines · Upgraded all VMware ESX 3.5 hosts to VMware ESXi 4.1 update 1 · Created 2 new virtual W2K8R2 DC’s, decommissioned our 2 virtual W2K3 DC’s · Created 1 new virtual EX2010 STD Server with CAS, HT, and MB roles. · Migrated accounts from virtual EX2003 ENT to virtual EX2010 STD · Virtual EX2003 is still running strictly for SMTP delivery as our developer updates his code for the new virtual EX2010 STD server For anyone experiencing the problem are there any similarities in how you deployed EX2010?
August 12th, 2011 3:09pm

Thanks for the updates wchar_t! I have been experiencing the same issue and it’s been driving me nuts. I’m surprised that there isn’t more of an uproar over this problem, unless it only happens in very specific EX2010 setups? Our site is a fresh install. No migration at all. VMware 4.0/4.1. Not sure why more people aren't complaining unless they are just dealing with it. Last communication from MS wanted me to try: Add-ADPermission –Identity "Mailbox" -user "Security Group Name" –ExtendedRights Receive-As I haven't done it yet.
Free Windows Admin Tool Kit Click here and download it now
August 12th, 2011 3:19pm

So I brought this issue up at my local Exchange Users group and no one else (out of 8 people) has the same problem, they also all run Exchange on a physical server. So I wonder if it's related to a something as dumb as a virtual driver?
August 16th, 2011 7:55pm

I tried the last command MS sent me. It didn't work either. It also broke OWA for the test account I was using. Not really sure why it would matter (physical vs virtual). But who knows at this point. It's definitely annoying.
Free Windows Admin Tool Kit Click here and download it now
August 17th, 2011 8:27am

I've had this EXACT same issue since we migrated from Exchange 2003 to 2010. I can grant users full mailbox access to a mailbox but when I try to add a security group the member of the group is unable to open the mailbox as an additional mailbox in their Outlook profile. I did discover, that if I had a member of the security group create a new mail profile and connect to the vanity mailbox, they could open it. Out of curiosity I had the member go to their default Outlook profile and add the vanity mailbox as an additional mailbox, VOILA! they were able to open it. Not what I'd call a viable workaround, especially if you have a multitude of members in that security group. I'll be monitoring this board anxiously waiting for a solution.
August 25th, 2011 4:28pm

@Bugeater Fan, that actually worked for my account. Before I wiped my Local Outlook profile I had this issue, after troubleshooting a another issue and wiping/rebuilding my profile I can now use access mailboxes that I couldn’t before via a security group. A few things I noticed: 1. If I was already part of a security group that had access to an email box, that ability stayed after the upgrade to EX2010 2. If I created a new security group for a new mail box after our upgrade to EX2010 I had the issue. I plan to test the following with a user still having the issue 1. Before rebuilding outlook profile a. Add this user to a security group that has access to a mail box where both were created BEFORE our EX2010 upgrade (created in EX200). Does this issue still occur? b. Add this user to a security group that has access to a mail box where both were created AFTER our EX2010 upgrade (created in EX200). Does the issue still occur? 2. Wipe and rebuild local outlook profile and then test again. I’m wondering if there is something in the local profile that is missing if it isn’t rebuilt after an EX2003 to EX2010 upgrade… @wchar_t, any news on your end?
Free Windows Admin Tool Kit Click here and download it now
September 6th, 2011 2:37pm

@wchar_t, any news on your end? Nothing on my end. Just sent off another email asking for a status update. I normally don't hear back until ~3am the next day. I'll let you know what I hear.
September 6th, 2011 2:40pm

wchar_t, Can you comment the case id you have open with Microsoft? As I am seeing the identical issue I'll see what leverage I can use to escalate the issue. Helps if I can give them the existing case id for them to review.
Free Windows Admin Tool Kit Click here and download it now
September 9th, 2011 2:20pm

It was implied that the issue may be with virtual servers. It is not.. Currently all of my exchange servers are physical. I'm also having an issue with giving groups full access permissions on mailboxes.
September 12th, 2011 12:28pm

As an update here is what is happening in my environment through testing: If a new group created in ECM (which makes Universal groups) and that group is used to give full access permissions to mailbox (created pre or post upgrade) the users in the group will eventually get access to the mail box but it might take a few days (Created the group on Thursday and it didn’t work immediately or on Friday, when I tried on Monday it did work) Mailboxes that worked before the upgrade from 2003 to 2010 still work with the original groups. These groups are Global and not Universal groups so they do not show up in the ECM under Recipient Configuration ->Distribution Group but do show up when you use the ECM to Added full mailbox permissions. New members added to these groups do not have immediate access, but after 30 minutes they do. So, I'm wondering if this is an issue with how universal groups are handled in EX2010? Maybe we all have a setting in our Global Catalog servers that only Exchange 2010 is sensitive too? I currently have a single domain with two DC's., they both are Global Catalog servers but one DC holds all of the FSMO roles. And when I run Get-ADServerSettings | FL I see that my EX2010 server is pointing to my secondary DC. I'm going to try changing that to my primary and see if that helps it process Universal group memberships quicker.
Free Windows Admin Tool Kit Click here and download it now
September 12th, 2011 1:26pm

I'm also quite interested in this. However, my situation would take it even a step further: User is a member of a RoleGroup RoleGroup is a member of MailboxPermissionGroup The MailboxPermissionGroup is what I'd like to give: -ExtendedRight 'Send-As','Receive-As' -AccessRights FullAccess ...and also have the group given full access end up in the msExchDelegateListLink attribute of the mailbox... which should happen when given fullaccess. Nothing I do other than granting that permission to an account (not at all prefered) works. Ian
September 24th, 2011 12:41pm

this may be a bug. Even with the latetst rollup. Similar to, if you try to give the send-as permission to a DL via EMS on another Exch server than to the one you created to the DL on, it will fail, because the local exchange server in the owner and not the Exchnage Servers groups. Similar if you create a DL in ADUC, it will fail because the domain admins are the owners and not the Exchange server groups. Workaround for these is to give the exch servers group modify permission I will find out about this next week. Sukh
Free Windows Admin Tool Kit Click here and download it now
September 24th, 2011 6:02pm

hello same issue here, migrating from ex2003, domain 2008, ex2010 sp1 giving a AD security group Full Access to a mailbox will not give user the access..
September 26th, 2011 3:33am

Just wanted to post a quick status update. I'm working with Exchange support (a different tier) now to find the cause of the issue. So far he hasn't been able to reproduce it. I just sent off more data to him last week. I should hear back fairly soon. I'll post back with what I find.
Free Windows Admin Tool Kit Click here and download it now
September 26th, 2011 8:13am

I am also having this problem; Im using a Native 2008 R2 SP1 Domain, Exchange 2010 SP1 RU3, and Office 2010 (both SP1 and non SP). The domain originally had Exchange 2003, which was upgraded to Exchange 2007, and then Exchange 2010 8 months ago.
September 27th, 2011 6:56am

Finally got around to testing some more on my end and here what I found · Granting full access permissions to universal groups (created through the EMC in 2010) on a mailbox works but only after 12- 24 hours · Even after a group has access any new members will need 12-24 hours to be recognized So I'm guessing that in my Active Directory that for some reason Universal Groups are painfully slow to update individual accounts as group members. Now I know Universal groups usually only replicate groups as members and not users, but since my AD is flat (1 one domain, 2 DC's) I’m not sure why I’m having such a hard time pulling user accounts as group members. I did try switching the domain controller my Exchange server pointed to but that didn’t help with the issue. Can anyone else confirm if the issue is due to slow Universal group replication in their environment?
Free Windows Admin Tool Kit Click here and download it now
October 5th, 2011 2:34pm

Vox Medica, You can expedite the process by restarting the Information Store service.
October 5th, 2011 2:48pm

Won't that disconnect everyone from their mailbox? We run in our Outlook clients in cached mode I assume our users would just see a message stating that connection to the mail server has been lost.
Free Windows Admin Tool Kit Click here and download it now
October 5th, 2011 3:01pm

Won't that disconnect everyone from their mailbox? We run in our Outlook clients in cached mode I assume our users would just see a message stating that connection to the mail server has been lost. Yes it will. So I'd advise not doing that during working hours. ;)
October 5th, 2011 3:10pm

I can say for my organization that applying full permission to a group gives members of that group full permission right away. What doesn’t work for me is the members of that group being added to the autoopen list for the mailbox. I've taken to setting the group I want to give full permission on custom attribute 5: Set-Mailbox $samaccountname -CustomAttribute5 (Get-QADGroup $permissiongroup).dn Then this function runs every 10 minutes as a scheduled task to set the members of that group in the auto-open field: function Set-SharedMailboxAutoOpen { $SharedMailboxes=Get-Mailbox -RecipientTypeDetails SharedMailbox foreach ($SharedMailbox in $SharedMailboxes) { $PermissionGroupMemberDNs=(Get-QADGroupMember -Indirect -Type user -Identity $($SharedMailbox.customattribute5)|%{$_.dn}) Set-QADUser $SharedMailbox.samaccountname -ObjectAttributes @{msExchDelegateListLink=$PermissionGroupMemberDNs} } } Set-SharedMailboxAutoOpen This works 100% of the time, but it's silly that it's necessary. This should just work. Ian
Free Windows Admin Tool Kit Click here and download it now
October 5th, 2011 3:11pm

Hi, I use security groups a lot when assigning permissions to Shared Mailboxes and I have never had any problemes with that. I must ask, After you added the users to the group, did they log off/on before they tried to add the Shared Mailbox as an additional one? (just restarting Outlook will not work) If not that would really explain why it takes time before the new permissions takes affect (TGT not updated = Ticket Granted Ticket).Martina Miskovic - http://www.nic2012.com/
October 5th, 2011 3:21pm

Hi, I use security groups a lot when assigning permissions to Shared Mailboxes and I have never had any problemes with that. I must ask, After you added the users to the group, did they log off/on before they tried to add the Shared Mailbox as an additional one? (just restarting Outlook will not work) If not that would really explain why it takes time before the new permissions takes affect (TGT not updated = Ticket Granted Ticket). Martina Miskovic - http://www.nic2012.com/ Yes I have. I've also tried accessing the other mailbox via OWA without any luck.
Free Windows Admin Tool Kit Click here and download it now
October 5th, 2011 3:23pm

Ok Good (cause I see this alot when users is not informed to log Off and then back On again on their computers and not just close and open Outlook) I hope you find a solution to your problem! Martina Miskovic - http://www.nic2012.com/
October 5th, 2011 3:26pm

Martina_Miskovic, to confirm with wchar_t, I’ve tried restarting Outlook, restarting the the PC, rebuilding the Outlook profile, and trying to access from Outlook 2011 (which uses EWS). All with no luck. In the meantime whenever the need arises I give the group and it's individual members full mailbox access and then remove the individual accounts 24 hours later. On a side note I always wondered why when the groups do finally kick in they never auto add the mailbox to the users Outlook file tree. I'll have to look into what imbruck2 posted if once this issues is resolved they still don’t auto add.
Free Windows Admin Tool Kit Click here and download it now
October 5th, 2011 3:34pm

Hi Vox Medica, Auto-Mapping only works when giving fullmailboxaccess to users and not when security groups is used, so that is expected.Martina Miskovic - http://www.nic2012.com/
October 5th, 2011 3:39pm

Hi Vox Medica, Auto-Mapping only works when giving fullmailboxaccess to users and not when security groups is used, so that is expected. Martina Miskovic - http://www.nic2012.com/ From what MS support has said so far, that's not correct. Autodiscovery should work when using groups as well.
Free Windows Admin Tool Kit Click here and download it now
October 5th, 2011 3:41pm

Did MS Support really say that Auto-Mapping would work when giving groups fullmailboxpermission? In my experience, that is not true.Martina Miskovic - http://www.nic2012.com/
October 5th, 2011 3:46pm

Hi Guys I'm also seeing the same problems. I created an Ad Security group called "test" and this is a security/Universal group. I added my normal user account to this grop I created a shared mailbox on my Exchange 2010 SP1 UR5 Org (all Exchange servers on 2010 SP1 UR5) using the New-Mailbox cmdlet with "-shared" and then gave the security group Full Access permission through the Exchange Console Gui (not via PS) 24 hours later, on a Windows 7 Enterprise x64 SP1 Machine with Office 2010 SP1 x86 installed, I'm not getting the additional mailbox self populating at all. the msExchDeletageList is also empty. If I add myself directly to a mailbox with Full Access Permissions, the mailbox suddenly appears in my outlook (no restart of outlook required) something not quite right with reading the groups. Maybe enable Universal caching on the GCs? Thanks Andy
Free Windows Admin Tool Kit Click here and download it now
October 6th, 2011 9:05am

Andy, thats what I was thinking of trying next even though that option is meant to address replication issues across slow links between Active Directory Sites. Which makes me belive there is either something odd flaw in how Universal Groups are handled in EX2010 or some misconfiguration issue with our all our Gobal Catalong servers.
October 6th, 2011 12:35pm

On Thu, 6 Oct 2011 16:35:03 +0000, Vox Medica wrote: >Andy, thats what I was thinking of trying next even though that option is meant to address replication issues across slow links between Active Directory Sites. Which makes me belive there is either something odd flaw in how Universal Groups are handled in EX2010 or some misconfiguration issue with our all our Gobal Catalong servers. Exchange (any release after 5.5) has nothing to do with groups other than to update properties. The AD is responsible for replication. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
October 6th, 2011 5:50pm

Exchange (any release after 5.5) has nothing to do with groups other than to update properties. The AD is responsible for replication. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP The only reason I mention EX2010 is that previous versions of Exchange didnt require Universal groups and we didnt have the issue until we moved to from EX2003 to EX2010. Granted we moved our AD from 2003 to 2008 R2 first but we were still able to assign permissions to mailboxs via Global groups in EX2003 fairly quickly.
October 6th, 2011 5:58pm

On Thu, 6 Oct 2011 21:58:16 +0000, Vox Medica wrote: [ snip ] >The only reason I mention EX2010 is that previous versions of Exchange didnt require Universal groups and we didnt have the issue until we moved to from EX2003 to EX2010. Although it wasn't _required_ in releases earlier than 2007 (not 2010) the use of groups with global or local scopes casued problems. >Granted we moved our AD from 2003 to 2008 R2 first but we were still able to assign permissions to mailboxs via Global groups in EX2003 fairly quickly. For group membership to work as people expect, the membership of a group must appear in the GCs of all domains in the forest. The only group scope that works that way is "universal". Other scopes replicate the group membership only in the DCs in the same domain. That AD behavior results inconsistent behavior across domains. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
October 6th, 2011 9:26pm

For group membership to work as people expect, the membership of a group must appear in the GCs of all domains in the forest. The only group scope that works that way is "universal". Other scopes replicate the group membership only in the DCs in the same domain. That AD behavior results inconsistent behavior across domains. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP Thats whats bugging me, I have one domain with 2 DC's. Shouldn't universal groups be replicated already, espcially when Exchange 2010 is ponting to the DC holding all my FSMO roles?
October 7th, 2011 7:38am

What Domain and Function Level is everyone running at? Specifically I wonder if those working have AD set to 2008 or 2008 R2 vs 2003 Native? edit added: It is possible to alter how Universal Groups cache on the DCs however given that restarting the InfoStore seems to have an effect I wonder at its polling time against changes on the GC. Anyone know if there is a attribute to effect this?
Free Windows Admin Tool Kit Click here and download it now
October 7th, 2011 12:44pm

I'm still at 2003 native due to some internally developed software still using our Exchange 2003 server and one of our SQL 2000 servers. Once those applications are updated and working I plan to raise our AD to 2008 R2 native.
October 7th, 2011 1:04pm

I should have mentioned I'm on 2003 Native as well, planning on flipping the flags in 2-3 weeks to 2008R2 Native.
Free Windows Admin Tool Kit Click here and download it now
October 7th, 2011 1:06pm

On Fri, 7 Oct 2011 11:38:48 +0000, Vox Medica wrote: <>For group membership to work as people expect, the membership of a group must appear in the GCs of all domains in the forest. The only group scope that works that way is "universal". Other scopes replicate the group membership only in the DCs in the same domain. That AD behavior results inconsistent behavior across domains. --- Rich Matheisen MCSE+I, Exchange MVP >>--- Rich Matheisen MCSE+I, Exchange MVP >Thats whats bugging me, I have one domain with 2 DC's. And both of those DCs are in the same AD forest? >Shouldn't universal groups be replicated already, That's easy enough to verify. Use ADUC and onnect to each DC in turn. Do you see the same results when you look at the properties of the group? Next, use LDP.exe and connect to each of the GCs (port 3268). Do you see the same results? If you don't see the same thing in both DCs and GCs then you have a problem with AD replication, not with Exchange. >espcially when Exchange 2010 is ponting to the DC holding all my FSMO roles? FSMO roles mean nothing in this context. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP
October 7th, 2011 5:42pm

Ok Guys, lets bring this back into context of the real issue here. So this is what I did on Friday (7th October 2011) before I went home In ADUC I created a new group. This was a Security Universal Group called "Test1". I stuck myself in this In ADUC I created another group. This was a Distribution Universal Group called "Test2". I stuck myself in this. I created 2 "Shared" mailboxes from EMS with the "-shared" parameter. They created fine. SharedMBX1 SharedMBX2 In SharedMBX1 I granted my Security Universal Group "Test1" Full Mailbox access using the EMC Gui. I did not add Send As rights to the same group In SharedMBX2 I granted my Distribution Universal Group "Test2" Full Mailbox access using the EMC Gui. I did not add Send As Rights to the same group I left for the weekend On coming back I rebooted my machine (Windows 7 Enterprise X64 SP1 with Office 2010 x86 SP1) and opened Outlook. NEITHER Mailbox was auto listed.. even after a few hours I checked the following attributes of both the Shared Mailboxes I created msExchDeletegateListBL msExchDelegateListLink Both were still empty. I verified no AD replication issues. Again, running Exchange 2010 SP1 with UR5 across all our Exchange 2010 servers. I'm 99.9% sure this is a bug. I saw this in Exchange 2007 too. Cheers Andy p.s. Found this link: http://ibenna.wordpress.com/2011/09/12/automapping-to-a-group/ While it states that Automapping doesnt work (as we are experiencing) it says you should be able to add the mailbox as an "Additional Mailbox" and it should work. For me, that doesnt work either. I get "Cannot expand the folder" A.
Free Windows Admin Tool Kit Click here and download it now
October 11th, 2011 6:31am

You've found exactly what I have. Customers can manually open a mailbox the old way after being given full permission, but it won't auto-open. I too think this should automatically work, but the fact remains that it won't. *I'll note that I use Quest Active Directory (QAD) commandlets in my examples. If you run these, you'll need to make sure you have them installed and in memory. You have a mailbox with a samaccountname of: "mailbox_xyz" You have a security with a samaccountname of: "mailbox_xyz"_fullpermission", which is not mail-enabled. Customers (or their nested role groups) are a member of: "mailbox_xyz"_fullpermission" I've taken to setting the group I want to give full permission on custom attribute 5 so that I can reference it later when adding it's members to the auto-open list (customers won't need to log off/on for this to work since it's not AD based): $samaccountname="mailbox_xyz"$permissiongroup="mailbox_xyz_fullpermission"Set-Mailbox $samaccountname -CustomAttribute5 (Get-QADGroup $permissiongroup).dn If you want the accounts in the permission group to "send as" the mailbox, you also run this line (customers will need to log off/on after this permission is given since it's AD based): Add-QADPermission -Identity $samaccountname -Account $permissiongroup -ExtendedRight 'Send-As','Receive-As' -ApplyTo 'ThisObjectOnly' I run this this function runs every 10 minutes as a scheduled task on a server to set the members of that group in the auto-open field. If you remove anyone from the group, it will remove them from the auto-open list. This becomes effective the next time a given customer opens MS Outlook (customers won't need to log off/on for this to work since it's not AD based): : function Set-SharedMailboxAutoOpen { $SharedMailboxes=Get-Mailbox -RecipientTypeDetails SharedMailbox foreach ($SharedMailbox in $SharedMailboxes) { $PermissionGroupMemberDNs=(Get-QADGroupMember -Indirect -Type user -Identity $($SharedMailbox.customattribute5)|%{$_.dn}) Set-QADUser $SharedMailbox.samaccountname -ObjectAttributes @{msExchDelegateListLink=$PermissionGroupMemberDNs} } } Set-SharedMailboxAutoOpen This works 100% of the time, but it's silly that it's necessary. This should just work. Ian
October 11th, 2011 9:57am

I'm 99.9% sure this is a bug. I saw this in Exchange 2007 too. ... p.s. Found this link: http://ibenna.wordpress.com/2011/09/12/automapping-to-a-group/ While it states that Automapping doesnt work (as we are experiencing) it says you should be able to add the mailbox as an "Additional Mailbox" and it should work. For me, that doesnt work either. I get "Cannot expand the folder" I didn't have 2007 prior so I wasn't sure if this existed there or not. And you are correct on the additional mailbox option. I get the same error. Happens in OWA as well. imbruck2, I only unmarked the solution you proposed because it doesn't actually fix the issue. It is a good workaround and will be helpful until MS decides to really look into this. I just sent off another email to tech support.
Free Windows Admin Tool Kit Click here and download it now
October 11th, 2011 10:15am

I am agree with you, previously I was able to assign a Security Group to have a full access to an exchange mailbox. It was before I was migrating all mailbox from SBS2008 (which is Exchange 2007) to Exchange 2010 SP1. Today I was creating similar proxy mailbox and want to assign a Security Group but it cannot be done through EMC.
October 13th, 2011 4:56am

@Rich Matheisen Universal Groups and group members show up on both DC’s immediately after creation, and both DC’s are in the same forest and domain. I tried using LDP but wasn’t sure what to look for but the initial query gave similar results when used against both DC’s @Everyone else To further isolate the issue to EX2010 I created 3 test groups: 01 – Universal group with my account as a member 02 – Global group with my account as a member 03 – Universal group containing a Global Group I belong to For all three groups I verified that they appeared on both of my DC’s after creation, I created group 01 on my first DC and the other two on my 2<sup>nd</sup> DC. All groups appeared instantaneously on both DC’s after creation. I then, one by one, assigned each group access permissions to a share on one of my file servers. Both Universal groups (01 and 03) required a log off/log on before I could access the share on the PC I tested on. Once they worked any other PC I was logged into still couldn’t access it unless I logged off. I read somewhere in my research that Universal groups membership is only once at login by the PC and this appears to be the case The Global group worked within a few minutes of being created I then tried assigning the two Universal groups full access to a mailbox I did not have prior access and then tried to open the mailbox through Outlook 2007. Each time I encountered the same error we have all been dealing with, just for kicks I gave each a 2<sup>nd</sup> try after logging in and out but the result was the same. So I think we can rule out issues with everyone’s Global catalog servers seeing that in my testing our file servers handled Universal group membership just fine. So I wonder if Exchange is exhibiting the same behavior as my desktops, that is not processing the group membership until a login event or 24 hours later. I’m going to keep my one PC logged in to see if the Universal group is recognized by it 12-24 hours later.
Free Windows Admin Tool Kit Click here and download it now
October 13th, 2011 4:56pm

did you manage to get this one sorted? I am having the same issues (though not relly intrested in the auto mapping feature). All i am trying to do is nest a few security groups with another security group and apply that group with full mailbox access to the Mailbox. Any users that are members of the nested security groups (All Universal) cannot access the mailbox when added into Outlook as an additional mailbox. Giving a user exclusive full access to the mailbox works with no problems! We are running Exchange 2010SP1 RU5 and coexistance with Exchange 2003
November 17th, 2011 11:30am

same problem here. able to view the mailbox using the security group membership but not send-as we are on SP1 RU6. surely there is a solution to this by now
Free Windows Admin Tool Kit Click here and download it now
December 2nd, 2011 5:45am

Apparently RU5 was supposed to resolve this issue. This is a major booboo from Microsoft, and there is no mention of it in SP2 :(
December 2nd, 2011 6:55am

we have noticed that legacy permissions seem to work - mailboxes that had the permissions set before environment was upgraded from 2007 to 2010 are fully functional. new ones however only allow view, not send-as
Free Windows Admin Tool Kit Click here and download it now
December 2nd, 2011 9:37am

Hi all, and update in regards to our problems with nested groups. After applying RU6 on to all MB\CAS\Hub servers, our nested groups now seem to be working OK. We have done extensive testing over the last few days and all seems to be OK (Though still not removing the DelegateListLink ADSI Attribute!). Although the fix is not listed in the RU6 issues list, i suspect MS have sneaked it in as the RU5 update was supposed to fix this and never did! Hope this info helps you all out
December 7th, 2011 5:54am

Hi all, and update in regards to our problems with nested groups. After applying RU6 on to all MB\CAS\Hub servers, our nested groups now seem to be working OK. We have done extensive testing over the last few days and all seems to be OK (Though still not removing the DelegateListLink ADSI Attribute!). Although the fix is not listed in the RU6 issues list, i suspect MS have sneaked it in as the RU5 update was supposed to fix this and never did! Hope this info helps you all out I have RU6 waiting to deploy. Hopefully it fixes it. From what the Exchange engineer I talked to said, they don't publish all fixes in RU or SP. So it could very well be in there and just not made public.
Free Windows Admin Tool Kit Click here and download it now
January 5th, 2012 8:32am

We recently applied EX2010 SP2 over the weekend and in our enviroment the issue still remains.
January 6th, 2012 2:35pm

I too continue to have this issue... has anyone heard anything further from MS? -DEMPC
Free Windows Admin Tool Kit Click here and download it now
January 30th, 2012 4:43pm

I have RU6 waiting to deploy. Hopefully it fixes it. From what the Exchange engineer I talked to said, they don't publish all fixes in RU or SP. So it could very well be in there and just not made public. Did this fix the issue for you in the end? We are having the same issue with nested groups and are currently on SP1. thanks
February 24th, 2012 11:39am

I have SP2 installed and it is still not working for me... FYI-DEMPC
Free Windows Admin Tool Kit Click here and download it now
February 24th, 2012 11:48am

Looking over the KB for SP2 RU1, it doesn't look like the issue was addressed http://support.microsoft.com/kb/2645995
February 24th, 2012 11:56am

I have RU6 waiting to deploy. Hopefully it fixes it. From what the Exchange engineer I talked to said, they don't publish all fixes in RU or SP. So it could very well be in there and just not made public. Did this fix the issue for you in the end? We are having the same issue with nested groups and are currently on SP1. thanks Actually, it has so far. I haven't had issues adding them to an Outlook profile or opening via OWA. I will say that permissions take a bit to take effect sometimes. Just a quick note. Outlook will not automatically add mailboxes unless you assign permissions with the user account. Outlook does not attempt to expand groups looking for users. That said, I wonder if nested groups are supported at all? I haven't tried them out yet.
Free Windows Admin Tool Kit Click here and download it now
February 24th, 2012 12:25pm

Just a quick note. Outlook will not automatically add mailboxes unless you assign permissions with the user account. Outlook does not attempt to expand groups looking for users. That said, I wonder if nested groups are supported at all? I haven't tried them out yet. That's precisely the functionality that i am looking for. I want to be able to grant a group full access permission the mailbox rather than assigning each user full access permissions-DEMPC
February 24th, 2012 12:40pm

@ DEMPC, you can pull that off with some powershell scripting. imbruck2 has posted a way to do so earlier in the thread, i tested it and it works as advertised but it is a little cumbersome to resort to such a method. @ wchat_t, so it is working for you? I still have to wait around 24 hours in my environment. Are you seeing a much quicker turn around time now?
Free Windows Admin Tool Kit Click here and download it now
February 24th, 2012 12:47pm

@ wchat_t, so it is working for you? I still have to wait around 24 hours in my environment. Are you seeing a much quicker turn around time now? Hate to say it, but it depends. Sometimes its quick. Other times I have to wait a day. Same with removing permissions. Not to muddy the waters any, but I found another bug. If you add a user and a group with full access to a mailbox and that use happens to be in the group as well, Outlook doesn't like it. It caused rule issues, "cannot expand folder" errors. Granted, it was my fault for having both there, but you'd think it wouldn't matter.
February 24th, 2012 12:55pm

@ DEMPC, you can pull that off with some powershell scripting. imbruck2 has posted a way to do so earlier in the thread, i tested it and it works as advertised but it is a little cumbersome to resort to such a method. @ wchat_t, so it is working for you? I still have to wait around 24 hours in my environment. Are you seeing a much quicker turn around time now? Agreed, cumbersome indeed. Do you think this functionality will ever exists in future updates? -DEMPC
Free Windows Admin Tool Kit Click here and download it now
February 29th, 2012 10:53am

Looking at the timing of the issue, perhaps it is related to OAB generation and updates on the Outlook client. Are the folks having the issue using Cached mode on Outlook, what happens if you disable cached mode?
March 22nd, 2012 8:30pm

We have noticed the issue with both cached and unchaced outlook 2007/2010 clients. I think the issue is due to the replication of universal groups memberships as opposed to Off line address book generations. Good thinking though!
Free Windows Admin Tool Kit Click here and download it now
March 23rd, 2012 1:13pm

I'm having the same issue, did you every get a resolution from Microsoft?george
April 27th, 2012 11:14am

Hi, I had similar issues and found the solution here: http://blogs.msdn.com/b/pepeedu/archive/2010/08/26/how-to-upgrade-a-universal-distribution-group-to-a-universal-security-group.aspx Solution without explanation: 1) try: set-distributiongroup -identity <alias of your group> If "nothing" happens (command accepted without feedback) or you get some yellow lines that nothing has been changed, you are finished. This can run in an error: Members cant remove themselves from security groups. Please set the group to Closed for requests to leave. 2) Do so: set-distributiongroup -identity <alias of your group> -memberdepartrestriction closed 3) try 1) again You should be able to add the group to calender permissions now, give full access or use it in a similar way. Also the "red deny" symbol in address lists should be gone. All group with this symbol may have the same problem. Good luck Frank
Free Windows Admin Tool Kit Click here and download it now
May 21st, 2012 8:00am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics