Recently a customer contacted me with an issue with one of their mail-enabled Security Groups. They were trying to set both the MemberJoin and MemberDepart settings to Closed per best practices. Well it turns out that the ‘Closed’ setting is actually a default for mail-enabled Security Groups. PowerShell options are available for changing these values from Closed to Open or Approval. However, my customer was unable to do so. I then set about seeing if this were normal and if not normal, why their environment was different.
Approach
In a test Exchange 2016 environment I created a brand new mail enabled security group using the EAC to do so. The new group had a manager as well as some members. An initial look at the group in PowerShell shows the group configured with the defaults documented by Microsoft:
As we can see both of the MemberJoin and MemberDepart values are set to ‘Closed’. This is because members of the Security Group are not allowed to leave on their own. If we attempt to adjust the values to something other than ‘Closed’, say ‘Open’, then we receive these errors:
Now, for my client, the values were both set to ‘Open’, like so:
They let me know that PowerShell gave an option for changing it to ‘Closed’ but it gave them all sorts of errors. So I tried this in their environment as well to generated the errors:
Well, that’s interesting. So PowerShell knows the values should be ‘Closed’, but we can’t set it to closed.
So how do we rectify this situation?
Let’s first see what settings are available in ADUC (AD Users and Computers) as well as using PowerShell to examine the group in AD:
As we can see, not much there and nothing here we can change that would affect the issue at hand.
What about Get-Group?
Get-Group ThisGroupSucks | FL
This does not display any properties that we need for this configuration.
Or Get-ADGroup?
Get-ADGroup -Identity ThisGroupSucks-1-1456038154 -Properties *
We see from this that there are properties that we need to set, but can we actually set them with Powershell? No.
Next Steps? ADSIEdit. Yes, we need ADSIEdit.
Once we have ADSIEdit open, we can adjust the properties from 0 to 1 and 1 to 0 as much as we want. In our case we will want to change the values back to the defaults of ‘0’.
Before:
After:
After the change, we can see PowerShell recognizes it as well:
Conclusion
As we can see, even if the option is available in PowerShell we sometimes have to resort to tools outside of it to make the changes we need.
To learn more about PowerShell and managing Exchange Server, click on the link below:
Thank you so much for this. I never considered ADSIedit. You are a lifesaver!