Cannot read members of Global Group
I am writing a script to query all members of a number of groups (using the Get-Group cmdlet), then perform some Exchange tasks. I noticed that I could read all the members of certain groups, but for others, the membership property was null. Upon further
investigation, I realized that the groups for which I could read the members were Universal groups, and the ones I could not read the members were Global groups.
I am assuming that the reason for this is that Exchange does not support groups other than Universal, but have not been able to confirm this. Can someone tell me if I am correct?
Assuming that is the case, can anyone suggest a workaround or alternate way to read these members? I was thinking about using ADSI in the script, but this is a bit cumbersome and was hoping someone knows a different way.
The Directory Services team would prefer not to convert these groups to Universal just to get this script to work.
Thanks,
Dan
November 19th, 2010 8:34am
Hi,
What version of Exchange are you using? On Exchange 2010, only Universal Groups are supported.
You may get null against a GC because IIRC group group memberships aren't replicated to the GC.
SteveSteve Goodman
Check out my Blog for more Exchange info or find me on
Twitter
Free Windows Admin Tool Kit Click here and download it now
November 19th, 2010 11:49am
On Fri, 19 Nov 2010 13:29:30 +0000, Dan DeStefano wrote:
>I am writing a script to query all members of a number of groups (using the Get-Group cmdlet), then perform some Exchange tasks. I noticed that I could read all the members of certain groups, but for others, the membership property was null. Upon further
investigation, I realized that the groups for which I could read the members were Universal groups, and the ones I could not read the members were Global groups.
>
>I am assuming that the reason for this is that Exchange does not support groups other than Universal, but have not been able to confirm this. Can someone tell me if I am correct?
How many AD domains do you have?
The membership of groups with a universl scope is promoted to a local
GC and replicated across the AD forest. Groups with other scopes have
their membership promoted to the local GCs only in the AD domain where
they live.
This is the reason why you want mail-enabled groups to have a
universal scope. It's a problem when someone sends an e-mail to a
non-universal group that lives in an AD domain that isn't used by the
Exchange server that expands the group because nobody gets the
message!
>Assuming that is the case, can anyone suggest a workaround or alternate way to read these members? I was thinking about using ADSI in the script, but this is a bit cumbersome and was hoping someone knows a different way.
Get the distinguishedName from the group. Extract the AD domain from
the DN. Find a DC in that domain and put it's name into the
"-domaincontroller" parameter on the get-group cmdlet. You can do it
all with just .Net -- no need for ADSI.
>The Directory Services team would prefer not to convert these groups to Universal just to get this script to work.
What's their objection to using a group with a universal scope?
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
November 19th, 2010 2:49pm
Additional info in the thread below:
Exchange
2007 DL Expansion failsJames Luo
TechNet Subscriber Support (http://technet.microsoft.com/en-us/subscriptions/ms788697.aspx)
If you have any feedback on our support, please contact tngfb@microsoft.com
Free Windows Admin Tool Kit Click here and download it now
November 21st, 2010 10:12pm