{"id":1849,"date":"2016-03-16T20:54:41","date_gmt":"2016-03-16T20:54:41","guid":{"rendered":"http:\/\/microsoftgeek.com\/?p=1849"},"modified":"2016-03-16T20:54:41","modified_gmt":"2016-03-16T20:54:41","slug":"exchange-2010-change-security-groups-to-distribution-groups","status":"publish","type":"post","link":"https:\/\/microsoftgeek.com\/?p=1849","title":{"rendered":"Exchange 2010: Change security groups to distribution groups"},"content":{"rendered":"<p>Distribution groups are a well-known concept for Exchange admins. Quite simply, a distribution group is an Active Directory group that\u2019s Exchange-enabled and therefore has an email address. Messages sent to the group are delivered to group members, which can be <span class=\"newterm\">mailbox users<\/span>, <span class=\"newterm\">mail users<\/span> (users with an email address outside the Exchange org), <span class=\"newterm\">mail contacts<\/span>, distribution groups and <span class=\"newterm\">mail-enabled public folders<\/span>. SeeUnderstanding Recipients for more details about these different types of recipients.<\/p>\n<p>From an Active Directory perspective, groups can be either distribution groups or security groups. Both can be used for email distribution if they\u2019re Exchange-enabled but the latter is also a <span class=\"newterm lightyellow\">security principal<\/span> \u2013 which means you can also grant it permissions to resources. From a security perspective, I\u2019ve always advocated that you shouldn\u2019t use security groups instead of distribution groups for email, although this is a common practice in many organizations to reduce the number of groups or objects in Active Directory and minimize management overhead.<\/p>\n<p>If you do decide to use security groups as distribution groups, be aware \u2014 there\u2019s always a chance someone would add a user to a distribution group so they receive emails sent to the group, inadvertently granting the permissions to access a file share or other resources that may be assigned to the group.<\/p>\n<h3>How can you change security groups to distribution groups?<\/h3>\n<p>If you\u2019re on Windows Server 2008 R2, it comes with the Active Directory PowerShell Module. Simply add it to your PowerShell\/Exchange Management Shell session:<\/p>\n<p class=\"code\">Import-Module ActiveDirectory<\/p>\n<p class=\"alert\">Before you change any security groups to distribution groups, make sure the groups are not used to assign permissions to resources.<\/p>\n<p>Now you can use the Set-ADGroup cmdlet to change the group\u2019s <span class=\"parameter lightyellow\">GroupCategory<\/span> property to distribution group. (Note, the LDAP attribute is <span class=\"attribute lightyellow\">groupType<\/span>):<\/p>\n<p class=\"code\">Set-ADGroup MyGroup -GroupCategory 0<\/p>\n<p>Of course, for a single group, you can also do this using the Active Directory Users &amp; Computers console (the <acronym title=\"Exchange Management Console\">EMC<\/acronym> doesn\u2019t allow you to change group type after creation).<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/i1.wp.com\/exchangepedia.com\/images\/ADUC-GroupType.png\" alt=\"Screenshot: Changing group type in Active Directory Users &amp; Computers\" width=\"406\" height=\"447\" \/><br \/>\n<span class=\"caption\"><span class=\"bold\">Figure 1:<\/span> Changing the group type in Active Directory Users &amp; Computers<\/span><\/p>\n<p>For bulk converting (Exchange-enabled) security groups to distribution groups, you can use the Get-DistributionGroup cmdlet to retrieve\/filter Exchange distribution groups and pipe results to the Set-ADGroup cmdlet. In this example, we filter distribution groups using the <span class=\"parameter lightyellow\">OrganizationalUnit<\/span> parameter.<\/p>\n<p>Why use Exchange\u2019s <span class=\"cmdlet\">Get-DistributionGroup<\/span> cmdlet if the Active Directory module already has theGet-ADGroup cmdlet? Two reasons:<\/p>\n<ol>\n<li>Using the Get-DistributionGroup cmdlet from Exchange ensures you\u2019re only picking up <span class=\"newterm\">Exchange-enabled<\/span> distribution groups. Active Directory can have distribution group objects that are not Exchange-enabled.<\/li>\n<li>Exchange\u2019s Get-DistributionGroup cmdlet has an easy-to-use <span class=\"parameter lightyellow\">OrganizationalUnit<\/span> parameter to retrieve distribution groups from a specified <acronym title=\"Organizational Unit\">OU<\/acronym> in Active Directory. The Active Directory module has a<span class=\"parameter lightyellow\">SearchBase<\/span> parameter to set the search scope to a container or OU, but it\u2019s generally not worth the trouble. Exchange\u2019s OrganizationalUnit parameter is simpler \u2013 it works with the name of an Active Directory container or OU, doesn\u2019t require a <span class=\"parameter lightyellow\">distinguishedName<\/span> AND an <acronym title=\"Lightweight Directory Access Protocol\">LDAP<\/acronym> filter.<\/li>\n<\/ol>\n<p class=\"code\">Get-DistributionGroup <span class=\"lightyellow\">-OrganizationalUnit<\/span> Groups <span class=\"lightyellow\">-RecipientTypeDetails<\/span>MailUniversalSecurityGroup | % {$group=$_; Write-Host $group.Name; Write-Host \u201cConverting group\u2026 \u201c; Set-ADGroup $group.DistinguishedName -GroupCategory 0}<\/p>\n<div class=\"sharedaddy sd-sharing-enabled\">\n<div class=\"robots-nocontent sd-block sd-social sd-social-icon sd-sharing\">\n<h3 class=\"sd-title\"><\/h3>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Distribution groups are a well-known concept for Exchange admins. Quite simply, a distribution group is an Active Directory group that\u2019s Exchange-enabled and therefore has an email address. Messages sent to the group are delivered to group members, which can be mailbox users, mail users (users with an email address outside the Exchange org), mail contacts, [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[22,59],"tags":[],"class_list":["post-1849","post","type-post","status-publish","format-standard","hentry","category-exchange-2010","category-powershell"],"_links":{"self":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/1849","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1849"}],"version-history":[{"count":1,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/1849\/revisions"}],"predecessor-version":[{"id":1850,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/1849\/revisions\/1850"}],"wp:attachment":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1849"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1849"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1849"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}