Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

How to manage Active Directory security groups and to mail-enable group objects in an Office 365 environment


View products that this article applies to.

Summary

This article describes how to manage Active Directory security groups and how to mail-enable group objects in a Microsoft Office 365 environment.�

↑ Back to the top


More information

The Microsoft Online Services Directory Synchronization Tool for Office 365 synchronizes Active Directory groups (including their membership) to the cloud. The tool pushes security groups and distribution groups to their appropriate interfaces in the Office 365 portal. Mail-enabled distribution groups are listed only in the distribution groups interface. However, this does not prevent you from using�mail-enabled distribution groups to assign permissions to resources.

How to view security groups

To view security groups, follow these steps:

  1. Sign in to the Office 365 portal at https://portal.microsoftonline.com by using an administrator account.
  2. Click Admin.
  3. In the left navigation pane, click Security Groups.
Be aware that security groups that are synchronized to Office 365 through directory synchronization are mastered in the on-premises environment. Therefore, you cannot edit these security groups.

How to view distribution groups and mail-enabled security groups

To view distribution groups and mail-enabled security groups, follow these steps:
  1. Sign in to the Office 365 portal at https://portal.microsoftonline.com by using an administrator account.
  2. In the center pane, under Exchange Online, click Manage.
  3. Click Distribution Groups to view the list of distribution groups.
Be aware that you can edit the membership of synchronized distribution groups. Even though these groups are mastered in the on-premises environment, group membership can be adjusted to include managed Office 365 accounts for Exchange permissions and mail delivery.

How to mail-enable a security group�if you do not have an on-premises Exchange environment

If you do not have an on-premises Exchange environment, it can be difficult to mail-enable a security group. One method is to�complete the�E-mail attribute of the security group and then have directory synchronization detect a security group and then synchronize the group as a mail-enabled security group,�

To mail-enable a security group if you do not have an on-premises Exchange environment, follow these steps:
  1. On your local Active Directory domain controller, click Start, point to�All Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. Locate the user security group that you want to adjust, right-click the group, and then�click�Properties.
  3. On the�General�tab, type the appropriate value in the�E-mail�field to deliver to the Exchange Online environment.
When a value is set in the�E-mail field, directory synchronization will not synchronize the group object because group objects do not have a displayName�attribute that is set by default. Directory synchronization requires that all mail-enabled groups have a display name. Therefore, you also have to set the display name.�

�To�add a display name to the group object, follow these steps:
  1. On your local Active Directory domain controller, click Start,�point�to All Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. Select the root of the tool,�and then click�Advanced Features on the�View�menu.
  3. Locate the user security group that you want to adjust, right-click the group, and then click�Properties.
  4. On the Attribute Editor tab, locate and then select the�displayName�attribute, and then click�Edit.�In the�Value�box, type the display name that you want, and then click�OK two times.
By default, directory synchronization occurs every three hours. You can also force directory synchronization so that you can confirm the changes immediately.

How to force directory synchronization

To force directory synchronization, follow these steps:

  1. On the server on which the Microsoft Online Services Directory Synchronization Tool is installed, open the C:\Program Files\Microsoft Online Directory Sync folder, and then double-click�DirSyncConfigShell.psc1.
  2. At the Windows PowerShell prompt, type�Start-OnlineCoexistenceSync,�and then press�Enter.
After several minutes, you can view the results of the synchronization by examining the Application event log and can view the group objects in the Office 365 portal.

↑ Back to the top


References

To view a video of this content, visit the following Microsoft website:

↑ Back to the top


Keywords: KB2588125, bposs, o365, vkbportal230, vkbportal237, vkbportal231

↑ Back to the top

Article Info
Article ID : 2588125
Revision : 5
Created on : 12/29/2011
Published on : 12/29/2011
Exists online : False
Views : 411