Converting Group scope–to Global

This similar to the conversion to Universal

## converts a security group to a Global group            
function ConvertTo-GlobalSecurityGroup {            
[CmdletBinding(SupportsShouldProcess=$true)]             
param (             
 [string]$groupname,            
             
 [ValidateSet("M", "P", "Q", "S")]            
 [string]$type = "S"            
             
)            
            
$root = [ADSI]""            
$search = [adsisearcher]$root            
$search.Filter = "(&(objectclass=group)(cn=$groupname))"            
$search.SizeLimit = 3000            
$search.PropertiesToLoad.Add("groupType") | Out-Null            
$search.PropertiesToLoad.Add("distinguishedName") | Out-Null            
$result = $search.FindOne()             
$grouptype = $result.Properties.grouptype            
$dn = $result.Properties.distinguishedname            
            
switch($grouptype){            
   2  {Throw "Not Security Group"}            
   4  {Throw "Not Security Group"}            
   8  {Throw "Not Security Group"}            
   -2147483646  {            
        Throw "Global - cannot change"            
       }            
   -2147483644  {            
         Write-Warning "Converting Domain Local group $groupname to Global group"            
      }            
   -2147483643   {            
         Throw "Builtin Local group - cannot change"            
       }            
   -2147483640  {            
         Write-Warning "Converting Universal group $groupname to Global group"            
      }             
  default {Throw "Error - Unrecognised group type"}            
}            
            
switch ($type) {            
#Microsoft            
"M"  {              
       if ($grouptype -eq -2147483644){            
         Set-ADGroup -Identity $groupname -GroupScope Universal            
       }            
       Set-ADGroup -Identity $groupname -GroupScope Global            
            
     }            
#AD provider            
"P" {            
      if ($grouptype -eq -2147483644){            
        Set-ItemProperty -Path Ad:\"$dn" -Name GroupType -Value -2147483640 -Force            
      }            
      Set-ItemProperty -Path Ad:\"$dn" -Name GroupType -Value -2147483646  -Force            
            
    }             
#Quest            
"Q" {            
      if ($grouptype -eq -2147483644){            
        Set-QADGroup -Identity $groupname -GroupScope "Universal"            
      }            
      Set-QADGroup  -Identity $groupname -GroupScope "Global"             
    }            
#Script            
"S" {            
$group = [adsi]"LDAP://$dn"            
            
if ($grouptype -eq -2147483644){            
 $group.GroupType = -2147483640  ## universal            
 $group.SetInfo()            
}            
$group.GroupType = -2147483646             
$group.SetInfo()            
}            
            
default {Write-Host "Error!!! Should not be here" }                 
} ## end of type switch            
#>            
}  ## end of function

We need to check if the group is Domain Local and if so convert to Universal before converting to Global.  Otherwise very much as previous post

Advertisements
This entry was posted in PowerShell and Active Directory. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s