Monday, January 19, 2015

Unable to grant a mail enabled security group permissions to a resource calendar in Exchange 2013


You would like to grant a distribution group configured in an Exchange 2013 organization permissions to a resource calendar:


… so you open up the properties of the group:


… and change the Group type from Distribution to Security:


You proceed to use the Add-MailboxFolderPermissions cmdlet to add the distribution group as a reviewer but receive the following error:

Add-MailboxFolderPermission “<ResourceMailBox>:\calendar” -user <SMTPofGroup> -accessrights “Reviewer”

The user “<SMTPofGroup>” is either not valid SMTP address, or there is no matching information.

+ CategoryInfo: NotSpecified (:) [Add-MailboxFolderPermission], InvalidExternalUserIdException

+ FullyQualifiedErrorId : [Server=<serverName>,RequestId=3ad24ea6-18c4-4abd-97da-f875f50790c5,TimeStamp=1/16/2015 2:04:35 PM] [FailureCategory=Cmdlet-InvalidExternalUserIdException] E4DC5802,Microsoft.Exchange.Management.StoreTasks.AddMailboxFolderPermission

+ PSComputerName : <serverName.FQDN>



There are actually a few reasons why the error message above would be thrown and the obvious one is if the group isn’t a security group or, as the error message indicates, the SMTP address specified is not valid but for the situation I encountered, it wasn’t as obvious until I tried opening the resource calendar’s properties and add it via the GUI which was when I received the following error:

Microsoft Outlook

One or more users cannot be added to the folder access list.

Non-local users cannot be given rights on this server.


Seeing this error message immediately reminded me that because I had converted the group from distribution to security, I needed to set the group to restrict members from removing their membership with the following cmdlet:

Set-Distributiongroup -identity <GroupName> -MemberDepartRestriction Closed


Once I successfully executed the cmdlet above, I was then able to add the group as a reviewer to the resource mailbox’s calendar:



Anonymous said...

Had same issue, this worked perfectly I changed group to closed as specified and ws able to add the security DL with permissions. . . thanks so much! Jeanne Sophia

Andy said...

I had the exact same issue, and it was driving me crazy. Now it's solved. Thank you for your post!

Ryan said...

Just ran into this issue and that solved it.
Where is the requirement to have Member Depart Restriction set to closed documented? I had never seen this before.


Anonymous said...

Thank you x 10!! This was so frustrating and your post had the only solution. Kudos to you.


Shakil Ali said...

Thanks heaps for sharing your expertise - such a great help- well explained

Anonymous said...

This helped me too. The interesting part about it is, that "closed" was set already.
However I executed the command. Normally exchange warns you, that the command was completed successfully but no changes were made. Not in this case!
It was "closed" before, it is "closed" now, but somehow i can execute my "add-mailboxfolderpermission"-command ...

Are there two states of "closed"?