Converting group scope – to domain local

The final version to convert to a domain local shouldn’t hold any surprises

## converts a security group to a Domain Local group            
function ConvertTo-DomainLocalSecurityGroup {            
param (             
 [ValidateSet("M", "P", "Q", "S")]            
 [string]$type = "S"            
$root = [ADSI]""            
$search = [adsisearcher]$root            
$search.Filter = "(&(objectclass=group)(cn=$groupname))"            
$search.SizeLimit = 3000            
$search.PropertiesToLoad.Add("groupType") | Out-Null            
$search.PropertiesToLoad.Add("distinguishedName") | Out-Null            
$result = $search.FindOne()             
$grouptype = $result.Properties.grouptype            
$dn = $result.Properties.distinguishedname            
   2  {Throw "Not Security Group"}            
   4  {Throw "Not Security Group"}            
   8  {Throw "Not Security Group"}            
   -2147483646  {            
        Write-Warning "Converting Global group $groupname to Domain Local group"            
   -2147483644  {            
         Throw "Domain Local - cannot change"            
   -2147483643   {            
         Throw "Builtin Local group - cannot change"            
   -2147483640  {            
         Write-Warning "Converting Universal group $groupname to Domain Local group"            
  default {Throw "Error - Unrecognised group type"}            
switch ($type) {            
"M"  {              
       if ($grouptype -eq -2147483646 ){            
         Set-ADGroup -Identity $groupname -GroupScope Universal            
       Set-ADGroup -Identity $groupname -GroupScope DomainLocal            
#AD provider            
"P" {            
      if ($grouptype -eq -2147483646){            
        Set-ItemProperty -Path Ad:\"$dn" -Name GroupType -Value -2147483640 -Force            
      Set-ItemProperty -Path Ad:\"$dn" -Name GroupType -Value -2147483644  -Force            
"Q" {            
      if ($grouptype -eq -2147483646){            
        Set-QADGroup -Identity $groupname -GroupScope "Universal"            
      Set-QADGroup  -Identity $groupname -GroupScope "DomainLocal"             
"S" {            
$group = [adsi]"LDAP://$dn"            
if ($grouptype -eq -2147483646){            
 $group.GroupType = -2147483640  ## universal            
$group.GroupType = -2147483644             
default {Write-Host "Error!!! Should not be here" }                 
} ## end of type switch            
}  ## end of function

The difference to the previous post is that we test for global & convert to Universal before the conversion to Domain Local

These functions are all used in the same way – supply a group name and the type of script you want to run

ConvertTo-DomainLocalSecurityGroup -groupname testg9                       
ConvertTo-DomainLocalSecurityGroup -groupname testg8 -type S               
ConvertTo-DomainLocalSecurityGroup -groupname testg7 -type Q               
ConvertTo-DomainLocalSecurityGroup -groupname testg6 -type P
ConvertTo-DomainLocalSecurityGroup -groupname testg5 -type M      

This entry was posted in PowerShell and Active Directory. Bookmark the permalink.

3 Responses to Converting group scope – to domain local

  1. Paulius says:

    Reblogged this on DevConfessions and commented:
    Useful function for changing AD group scope to ‘Domain Local’ from PowerShell

  2. Deepak says:

    Hi am having a doubt.. Recently a group was automatically changed from Universal to Local domain…But I did not change that.. I changed only the Domain Controller. So if I do change the domain controller, does it have an impact in group scope..

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s