To Distro or not to distro…
Our customer needed distribution groups from their various SharePoint sites for creating alerts on shared lists and libraries. Until now, the site administrator was constantly having to add and manage these alerts all on an individual basis, and since each project the customer works with calls for a new SharePoint site, changes were plentiful.
Initially, when trying to create a group, specifically, mail enable a group from within SharePoint, the admin was receiving an error stating: “The group operation succeeded, but the distribution group could not be updated because of the following error: The Directory Management Service reported the following error: Access denied.”
I checked the settings on the Central Administration site under Operations for Incoming e-mail, and found it had not been configured to create distribution groups. The following setting must be enabled:
Use the SharePoint Directory Management Service to create distribution groups and contacts?
Once this is set to yes, new options will appear, and must be configured. You must specify the canonical path to the Organizational Unit (OU) where the SharePoint Directory Management Service (DMS) will create the new groups and contacts, i.e., OU=Container1,OU=Container2,DC=yourdomain,DC=yourDomainSuffix
Prior to specifying the settings in SharePoint, you should create the OU within Active Directory, and delegate FULL PERMISSIONs to the service account of the application pool that the Central Administration and your Site Collection use.
NOTE The application pool identity (Service acct) of both your site collection and the central administration site MUST be the same, or you will not be able to get this to work. Do not forget to issue an iisreset /noforce command after making any changes to service accounts related to SharePoint, or the application pools within IIS.
Once you have delegated the appropriate rights and ensured you application pool identities are the same, you can now proceed to create or modify a new group in SharePoint for which you wish to create a distribution list for. If your group will contain members from various site groups (different permission levels), create a new group on the site, and grant that group FULL rights (not to worry, as is true with NTFS permissions and inheritance, the group membership of the user that has the least privileges will override the group with Full rights). Set the email address, and other options as your needs determine, the group should be created successfully.
If you still receive an error during the list creation, check the front end server’s logs that hosts the Central Admin site, and see if there is an error matching below:
Event ID: 5214,
Insufficient SQL database permissions
You will need to launch SQL Management Studio, and delegate the EXECUTE right to the service account of the application pool identities. This gives the account the right to execute stored procedures against the configuration database.
Now, confirm the distribution group was created successfully by opening the Active Directory Users and Computers (ADUC) snap-in and checking the contents of the OU you created earlier for SharePoint to create the groups in. Find the group you created and right-click it, open the properties dialogue box, and convert the group from a distribution to a security group.
Note The SharePoint People Picker cannot recognize distribution groups, only security groups, hence alerts can only be created for MailEnabled Security Groups.
Next, open the Exchange Management Console, and expand recipients, find the distribution group, right-click and choose to convert it from Global to Universal, after this, you will notice it now shoes as a MailEnabled Universal Security Group. Open the properties of the group, and verify it has an email address assigned. You will notice the default address policy has been enforced, overiding the email address assigned via SharePoint, i.e, demonstration@sharepoint.yourDomain.com is now demonstration@yourDomain.com. If you require the former, simply clear the check box applying the default email address policy, and add the SMTP address you need.
Now you will be able to find the group in the Global Address List (GAL) from within Outlook, as well as by using the People Picker with SharePoint.
Note Remember, synchronization from SharePoint Distribution lists is one way, i.e., from SharePoint to Active Directoy! Always add members via the SharePoint controls.
You may now create alerts, etc using the new distribution groups from SharePoint. Have fun, and remember to Share the Point!