Outlook Error – ‘One or more users cannot be added to the folder access list. Non-local users cannot be given rights on this server’

KB ID 0000560 Dtd 23/01/12

Problem

Outlook will show you this error if you attempt to grant rights to a "distribution group" on an object for example, a public folder, or for calendar permissions.

outlook error one or more users cannot be added to the folder access liist

You would think that converting the "Universal Distribution Group" to a "Universal Security Group" would solve this problem, but it does not.

Note: You may also see the following error, "an error occurred. Exception: Cannot use {Group_Name} as a security principal, Parameter name: secuirtyPrincipal.

Solution

1. First (I’m assuming) you ARE trying to add a security group that you have converted using the Active Directory Users and computers snap in like so, you will see I’ve got a Universal Distribution Group called "TestGroup"

outlook error one or more users cannot be added to the folder access liist

2. To convert to a Universal Security Group simply change the group type and apply. (Note you will need to refresh the view in Exchange System Manager, before it reflects the correct group type as below).

outlook error one or more users cannot be added to the folder access liist

3. But you will see, even though the type of group is correct you still see this error. (The more eagle eyed among you will see there’s a small error icon on the group type).

outlook error one or more users cannot be added to the folder access liist

Why this has happened.

This has been a known problem since Exchange 2007. Essentially there’s an active directory attribute called "msExchRecipientDisplayType" that does not get changed properly when you convert the group using the GUI interface.

How to Fix it

Exchange 2007

Run the following Powershell command in the Exchange Management Shell;

Set-Distributiongroup –identity {group name}

outlook error one or more users cannot be added to the folder access liist

Exchange 2010

If you run that command on Exchange 2010, you will see the error (shown above)

"Members can’t remove themselves from security groups. Please set the group to Closed for requests to leave."

You need to run the following Powershell command, in the Exchange Management Shell instead;

Set-Distributiongroup–identity {group name} –MemberDepartRestriction Closed

Related Articles, References, Credits, or External Links

How to Create a Distribution Group in Exchange 2010 / 2007

Author: Migrated

Share This Post On