Bulk Converting Global Groups to Universal and Mail Enabling

We have started trying to better organise our groups into a more role based system, so that membership of one group is based on a role rather than a person. That way if the person holding a position changes (holiday, retirement, etc) we just make one change and the replacement user gets all the correct rights. e.g. <user> -> HT Subject -> Executive, rather than <user> -> Executive.

The problem with this is when an email is sent to a mail enabled group, all the member groups of that group must be mail enabled for their members to receive the email. So I needed to bulk mail enable a container of groups, and also hide these new groups from the Address Book as they don’t need to be visible to staff.

Exchange 2010 only allows you to mail enable a group if it is a Universal group, and then only one at a time from the EMC. To convert all the Global groups in a particular container to universal groups, I used the following Power Shell command.

Import-Module ActiveDirectory
# List Tables
Get-ADGroup -SearchScope Subtree -SearchBase "OU=StaffGroups,OU=Staff,DC=win" -Filter {GroupCategory -eq "Security" -and GroupScope -eq "Global"}  | Format-Table

# Convert Global groups to Universal
Get-ADGroup -SearchScope Subtree -SearchBase "<code>OU=StaffGroups,OU=Staff,DC=win</code>" -Filter {GroupCategory -eq "Security" -and GroupScope -eq "Global"}  | Set-ADGroup -GroupScope Universal

Once converted to Universal groups I wanted to Enable the Groups as Distribution groups in Exchange and hide them from the global Address Book. These groups are role based and need to exist for group expansion in Exchange, but I don’t want them visible to everyone.

# Load AD Modules
Import-Module ActiveDirectory

# Load Exchange Snapins
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010
. $env:ExchangeInstallPath\bin\RemoteExchange.ps1
Connect-ExchangeServer -auto

# Get list of Groups not Mail Enabled
$b = Get-ADGroup -SearchScope Subtree -SearchBase "OU=StaffGroups,OU=Staff,DC=win" -Filter {GroupCategory -eq "Security" -and GroupScope -eq "Universal" -and mail -notlike "*"}

# Enable email for each group, use the Group name without spaces as Alias
$b | ForEach-Object { Enable-DistributionGroup -Identity $_.DistinguishedName -Alias ($_.Name -replace '\s|,|\.') }

# Hide the newly created groups from Global Address book
$b | ForEach-Object { Set-DistributionGroup -Identity $_.DistinguishedName -HiddenFromAddressListsEnabled $true}
 

Notes:

  • Details on replacing letters for alias is from here.
  • Mike Pfeiffer’s blog had great instructions on how to load Exchange snap-ins into a normal PowerShell session, such as in ISE.
  • I found a few sites that mentioned using get-group instead of get-adgroup. Not sure why the wrong command is given. Petri

About James Rudd

Network Administrator at Sydney Boys High School
This entry was posted in Active Directory, Exchange and tagged , , , , , , , . Bookmark the permalink.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.