Exchange 2010: Change security groups to distribution groups

Distribution groups are a well-known concept for Exchange admins. Quite simply, a distribution group is an Active Directory group that’s Exchange-enabled and therefore has an email address. Messages sent to the group are delivered to group members, which can be mailbox users, mail users (users with an email address outside the Exchange org), mail contacts, distribution groups and mail-enabled public folders. SeeUnderstanding Recipients for more details about these different types of recipients.

From an Active Directory perspective, groups can be either distribution groups or security groups. Both can be used for email distribution if they’re Exchange-enabled but the latter is also a security principal – which means you can also grant it permissions to resources. From a security perspective, I’ve always advocated that you shouldn’t use security groups instead of distribution groups for email, although this is a common practice in many organizations to reduce the number of groups or objects in Active Directory and minimize management overhead.

If you do decide to use security groups as distribution groups, be aware — there’s always a chance someone would add a user to a distribution group so they receive emails sent to the group, inadvertently granting the permissions to access a file share or other resources that may be assigned to the group.

How can you change security groups to distribution groups?

If you’re on Windows Server 2008 R2, it comes with the Active Directory PowerShell Module. Simply add it to your PowerShell/Exchange Management Shell session:

Import-Module ActiveDirectory

Before you change any security groups to distribution groups, make sure the groups are not used to assign permissions to resources.

Now you can use the Set-ADGroup cmdlet to change the group’s GroupCategory property to distribution group. (Note, the LDAP attribute is groupType):

Set-ADGroup MyGroup -GroupCategory 0

Of course, for a single group, you can also do this using the Active Directory Users & Computers console (the EMC doesn’t allow you to change group type after creation).

Screenshot: Changing group type in Active Directory Users & Computers
Figure 1: Changing the group type in Active Directory Users & Computers

For bulk converting (Exchange-enabled) security groups to distribution groups, you can use the Get-DistributionGroup cmdlet to retrieve/filter Exchange distribution groups and pipe results to the Set-ADGroup cmdlet. In this example, we filter distribution groups using the OrganizationalUnit parameter.

Why use Exchange’s Get-DistributionGroup cmdlet if the Active Directory module already has theGet-ADGroup cmdlet? Two reasons:

  1. Using the Get-DistributionGroup cmdlet from Exchange ensures you’re only picking up Exchange-enabled distribution groups. Active Directory can have distribution group objects that are not Exchange-enabled.
  2. Exchange’s Get-DistributionGroup cmdlet has an easy-to-use OrganizationalUnit parameter to retrieve distribution groups from a specified OU in Active Directory. The Active Directory module has aSearchBase parameter to set the search scope to a container or OU, but it’s generally not worth the trouble. Exchange’s OrganizationalUnit parameter is simpler – it works with the name of an Active Directory container or OU, doesn’t require a distinguishedName AND an LDAP filter.

Get-DistributionGroup -OrganizationalUnit Groups -RecipientTypeDetailsMailUniversalSecurityGroup | % {$group=$_; Write-Host $group.Name; Write-Host “Converting group… “; Set-ADGroup $group.DistinguishedName -GroupCategory 0}