Outlook Calendar Security Group Permissions

Mr. Jones

On-Prem Exchange
Outlook 2019

Okay so because we need everyone in the organization to see this shared calendar, and we can't add each person because you can't add that many people (I think it's somewhere in the ballpark of 64 max) I've been trying to figure out how to make it work/best practices.

After a bit of reading, I've created mail-enable Dynamic Distribution groups (via EAC) based on the "Department" field in the Organization tab of User>Properties in AD. I know these work, as I've been using them.

But, since you can't add dynamic distribution groups to the permissions list for calendars, I've created a mail-enable security group (via EAC) and put them all in it.

However, I can't get it to work. Users are able to pull the calendar up, but it just says "failed to update" above it, and I'm guessing it's a permissions issue.

Current permissions on each Distibution group:

Membership>Members: All Recipient Types (after "Only the following: Users with Exchange mailboxes" didn't work.)

Rule>Recipient Container: Domain (contoso.com)
Rule>Department: listed department names from the department fields in AD ("Registrar" etc.)

Any ideas?

EDIT: I'm clearly having a moment. So there's this little group called "Default" that's basically everyone, so I was able to set Reviewer to that group and now everyone can see the calendar. ::facepalm::

I'd still like to know how I could make my initial approach work, if possible.

Dashrender

My version is older than yours, but as your second line of thinking went:

create email group, add all users to it, grant that group whatever rights are needed - reviewer in this case - tada, done.
You might need the users to log out and back in to get the new rights.

I do this for many calendars in my org.

Mr. Jones

@dashrender Do you think that because the security group is populated by several dynamic distribution groups that it wouldn't work?

I could just add everyone individually to the security group, but I like to do dynamic groups based on AD departments because it makes things easier for the onboarding/offboarding part of things.

Dashrender

@mr-jones said in Outlook Calendar Security Group Permissions:

@dashrender Do you think that because the security group is populated by several dynamic distribution groups that it wouldn't work?

I could just add everyone individually to the security group, but I like to do dynamic groups based on AD departments because it makes things easier for the onboarding/offboarding part of things.

I don't know anything about dynamic groups - I've never heard of those before your post. Even though you were allowed to nest them, it's likely that they don't work that way.

As for onboarding offboarding - I copy a template user, so that creates the user with the same groups that the template has. Deleting the user though, oddly doesn't remove them from those groups - instead it leaves a UUID behind for the user, and I have to either run a script or delete them manually, so offboarding is a PITA.

Dashrender

In re-reading your OP, "mail-enable Dynamic Distribution groups" are not likely security groups, they are likely email only groups.

When you create regular groups you can create distribution or security groups. Security groups can also be used as distribution groups, but distribution groups CANNOT be used as security groups.

You are trying to set permissions (which is a security thing) so you need to use pure security groups to get the function you want.

dbeato

@mr-jones I was going to say I have a script that does change the Default Permisisons to all users

https://github.com/dbeato/scripts/blob/master/Office 365/Update-Default-Permissions.ps1

But It might come down to having the users added either via script or manually to that group you want and then applying the permissions. However Microsoft Exchange has been cumbersome to apply permissions by groups. I would recommend to do it by user instead.

Mr. Jones

@dashrender You can create (on the EAC side) three options. Dynamic Distribution, Distribution, or Security.

I've nested the Dynamics into the Security, because you can't add dynamics to a permissions list, as you've outlined you are aware of. However, "pure security groups" might be the issue. As I suspect permissions are not going to propegate through a security group and it's nested non-security groups like I would like them to.

Mr. Jones

@dbeato said in Outlook Calendar Security Group Permissions:

@mr-jones I was going to say I have a script that does change the Default Permisisons to all users

https://github.com/dbeato/scripts/blob/master/Office 365/Update-Default-Permissions.ps1

But It might come down to having the users added either via script or manually to that group you want and then applying the permissions. However Microsoft Exchange has been cumbersome to apply permissions by groups. I would recommend to do it by user instead.

Yea it does sound like that might end up being the case. I'll poke at it some more, as I'm not quite ready to give up on it. Thanks for the reply.