Member of Distribution Group Missing with Set-Group Failed or Already Exists

Tags: distribution group, mail flow, Mail-enabled non-universal groups, member missing, primary group, set-group

August 10, 2009 2

A while ago, a friend of mine asked me to check why his Exchange 2007 Distribution Group (DG) in Exchange Management Console (EMC), does not show all the members that are listed when using Active Directory Users and Computers (ADUC) console. Since this group is mail-enabled, emails to this group only deliverable to those who are listed in DG regardless of the their membership status in Active Directory (AD) found in ADUC.

It does not matter the scope (Global / Universal) of the group as long as it is a Security group type you will see this issue. (Note: only security type, I will explain why.) After some testing we found out that it was due to the Primary group setting.

Primary-group

The issue is caused by the particular AD user’s Primary group which also turns out to be the group he/she is in. For example UserA and UserB both are in the Sales DG (Mail-Enabled Universal Distribution Group). For some reason, UserA’s Primary group got changed to Sales DG while UserB’s Primary group still remain the default Domain Users.

When you open EMC, browse to Recipient Configuration | Distribution Group and compare with the same group in ADUC from AD, here is what you will see:

ADUC-group

distribution-group1

UserA is not listed in Exchange 2007 Distribution Group’s Members tab even though he/she is in AD. To further prove this we perform ldap dump on UserA object looking at memberOf ( ) attributes and confirm that the group CN does exist. The only difference is UserA’s primaryGroupID: now has changed corresponding to the Sales DG’s. Now if you try to add UserA, Exchange will throw you an error:

exchange-set-group-error

I have tested two different AD Forest and the other Exchange gave me this similar message:

——————————————————– Microsoft Exchange Error ——————————————————– The following error(s) occurred while saving changes: Set-Group Failed Error: Active Directory operation failed on server.domain.local. This error is not retriable. Additional information: Either the specified user account is already a member of the specified group, or the specified group cannot be deleted because it contains a member. Active directory response: 00000528: UpdErr: DSID-031A1174, problem 6005 (ENTRY_EXISTS), data 0 The object exists. ——————————————————–

When you have this problem, users who are not listed in members tab will not get email. To rectify this, just go to the user account and set the primary group to preferably Domain users so that it will not have similar problem with any other security group.

I am not sure if this is a bug or intended to be that way. If you happen’t to find the answer please comment or let me know and I will share it out. By the way, only Secuirty group can you set an user’s Primary group and not Distribution group.

More infromation on Distribution Group and interesting read:

This website uses IntenseDebate comments, but they are not currently loaded because either your browser doesn't support JavaScript, or they didn't load fast enough.

3822 Comments2009-08-10+20%3A25%3A23lamlamz

Josh
Feb 18, 2010, 20:45
Reply

Thank you so much! I've been spending hours on this. Finally fixed!

lamlamz
Feb 18, 2010, 20:50
Reply

You are welcome Josh. Glad that it helped!

Click here to cancel reply.

Début