Monday, January 19, 2015

Unable to grant a mail enabled security group permissions to a resource calendar in Exchange 2013

Problem

You would like to grant a distribution group configured in an Exchange 2013 organization permissions to a resource calendar:

image

… so you open up the properties of the group:

image

… and change the Group type from Distribution to Security:

image

You proceed to use the Add-MailboxFolderPermissions cmdlet to add the distribution group as a reviewer but receive the following error:

Add-MailboxFolderPermission “<ResourceMailBox>:\calendar” -user <SMTPofGroup> -accessrights “Reviewer”

The user “<SMTPofGroup>” is either not valid SMTP address, or there is no matching information.

+ CategoryInfo: NotSpecified (:) [Add-MailboxFolderPermission], InvalidExternalUserIdException

+ FullyQualifiedErrorId : [Server=<serverName>,RequestId=3ad24ea6-18c4-4abd-97da-f875f50790c5,TimeStamp=1/16/2015 2:04:35 PM] [FailureCategory=Cmdlet-InvalidExternalUserIdException] E4DC5802,Microsoft.Exchange.Management.StoreTasks.AddMailboxFolderPermission

+ PSComputerName : <serverName.FQDN>

image

Solution

There are actually a few reasons why the error message above would be thrown and the obvious one is if the group isn’t a security group or, as the error message indicates, the SMTP address specified is not valid but for the situation I encountered, it wasn’t as obvious until I tried opening the resource calendar’s properties and add it via the GUI which was when I received the following error:

Microsoft Outlook

One or more users cannot be added to the folder access list.

Non-local users cannot be given rights on this server.

image

Seeing this error message immediately reminded me that because I had converted the group from distribution to security, I needed to set the group to restrict members from removing their membership with the following cmdlet:

Set-Distributiongroup -identity <GroupName> -MemberDepartRestriction Closed

image

Once I successfully executed the cmdlet above, I was then able to add the group as a reviewer to the resource mailbox’s calendar:

image

5 comments:

Anonymous said...

Had same issue, this worked perfectly I changed group to closed as specified and ws able to add the security DL with permissions. . . thanks so much! Jeanne Sophia

Andy said...

I had the exact same issue, and it was driving me crazy. Now it's solved. Thank you for your post!

Ryan said...

Just ran into this issue and that solved it.
Where is the requirement to have Member Depart Restriction set to closed documented? I had never seen this before.

Thanks
Ryan

Anonymous said...

Thank you x 10!! This was so frustrating and your post had the only solution. Kudos to you.

Marcia

Shakil Ali said...

Thanks heaps for sharing your expertise - such a great help- well explained