Thursday February 18th, 2016 15:38 Can’t add security group/distribution list to calendar permissions

One day when I was out of the office, a user got my colleague to change up permissions on a room calendar. Since it’s not particularly his area, we ended up with the entire organization being bumped back to ‘availability only’ status. When I got in to re-add the main staff group to the permissions list, I got myself an interesting error:

exchange_shell

If you can’t read that, the problem is:

The user “EMCF Staff” was found in Active Directory but isn’t valid to use for permissions. Try an SMTP address
instead.
+ CategoryInfo : NotSpecified: (:) [Add-MailboxFolderPermission], InvalidInternalUserIdException
+ FullyQualifiedErrorId : [Server=XXXXXX,RequestId=d501ac25-6ccd-421c-b89e-578de600d709,TimeStamp=2/18/2016 5
:34:00 PM] [FailureCategory=Cmdlet-InvalidInternalUserIdException] BEB2A843,Microsoft.Exchange.Management.StoreTas
ks.AddMailboxFolderPermission
+ PSComputerName : XXX.domain.com

It took a surprising amount of poking around to figure out exactly why I couldn’t add that – especially considering that the same group had permissions on a different calendar. So, for consolidation’s sake, here’s the fix.

Hop on ADSI Edit and bring up the group in question. Since security groups can function as distribution in 2013+, some of the ones you have might have been converted from a distribution group at some point in the past. That leaves behind a relic that breaks the ability to add them in the Exchange shell:

adsi

You can see from this handy list right here that it still has the distribution list code on the msExchRecipientDisplayType property.

The easy fix?

Simply clear that value to set to null – “<not set>” – and run the shell command that failed before. Voila.

We all know how whiny Exchange can be about tiny details like this, and if it stopped me from making a simple permissions change, I’m not going to bet against it causing a completely different problem if left as null. So, I changed mine right back afterward. You might be more bold, and if you are, do let me know how it turns out.

3 Comments on “Can’t add security group/distribution list to calendar permissions”

Los Commentos, as the French say

Your name

Your email

Your URL

Whois

IT guy, dev, designer, writer.

Got a degree in print journalism from UF but history dealt some bad cards to that industry, so I moved back to an earlier love: the computer.

Was recently at ZMOS Networks, but am now the Senior IT Associate at the Edna McConnell Clark Foundation.

My name is moderately common, as are a couple screen names, so always look for the logo to make sure you're reading something with official Km approval.

You can get to me directly with kyle(@)kylemitchell.org