Converting group scope–to Universal

We’ve seen how to create the different group type – but we may create a group as a global group and need to change it to a another. This isn’t a free range change process:

  • Universal and Domain Local can be converted to the other
  • Universal and Global can be converted to the other
  • There is no direct conversion from Global to Domain Local or vice versa
  • You can’t convert a group that has nested groups  that wouldn’t be allowed in the new group type

I decide to do three functions – one to convert to each type of group. I’m only considering security groups because all distribution lists in Exchange 2007 and above have to be Universal.

To convert security groups to Universal

## converts a security group to a Universal group            
function ConvertTo-UniversalSecurityGroup {            
param (             
 [ValidateSet("M", "P", "Q", "S")]            
 [string]$type = "S"            
$root = [ADSI]""            
$search = [adsisearcher]$root            
$search.Filter = "(&(objectclass=group)(cn=$groupname))"            
$search.SizeLimit = 3000            
$search.PropertiesToLoad.Add("groupType") | Out-Null            
$search.PropertiesToLoad.Add("distinguishedName") | Out-Null            
$result = $search.FindOne()             
$grouptype = $result.Properties.grouptype            
$dn = $result.Properties.distinguishedname            
   2  {Throw "Not Security Group"}            
   4  {Throw "Not Security Group"}            
   8  {Throw "Not Security Group"}            
   -2147483646  {            
         Write-Warning "Converting Global group $groupname to Universal group"            
   -2147483644  {            
         Write-Warning "Converting Domain Local group $groupname to Universal group"            
   -2147483643   {            
         Throw "Builtin Local group - cannot change"            
   -2147483640  {            
         Throw "Universal - cannot change"            
  default {Throw "Error - Unrecognised group type"}            
switch ($type) {            
"M"  {              
       Set-ADGroup -Identity $groupname -GroupScope Universal            
#AD provider            
"P" {            
      Set-ItemProperty -Path Ad:\"$dn" -Name GroupType -Value -2147483640 -Force            
"Q" {            
      Set-QADGroup  -Identity $groupname -GroupScope "Universal"             
"S" {            
$group = [adsi]"LDAP://$dn"            
$group.GroupType = -2147483640            
default {Write-Host "Error!!! Should not be here" }                 
} ## end of type switch            
}  ## end of function

I’ve use ConvertTo as the verb as its legal PowerShell.

The group name and what type of script you want are the only parameters. The group type is checked and the conversion is either rejected or a warning message printed. The values used to check group type are pre-calculated – see

The default script type is script.

The relevant script type is run – The syntax for these commands should be clear from previous examples

This entry was posted in Uncategorized. Bookmark the permalink.

One Response to Converting group scope–to Universal

  1. Succinct and useful! I’m impressed by the extra effort put in to support native .net, and both the MS and Quest AD cmdlets.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s