Recently I came across a need to batch convert global security groups into universal security groups in my work’s Active Directory domain. The reason for this is so I could then turn them into Mail Enabled security groups, which would enable mail to be delivered to members of these groups. Unfortunately all security groups at this organization are Global in scope.
Seeing as this is a one domain organization there is no harm in changing the scope to Universal. Doing this via mouse is very tedious; fortunately we can use a few basic command line tools to automate the task. Thanks to Jeff Guillet for outlining how to do this.
The three magic commands are: dsquery, dsget, and dsmod.
First I wanted to test out a single security group to make sure everything would work. I couldn’t convert it because it was a member of several global security groups. This rabbit hole went several levels deep. Piping together dsquery, dsget, and dsmod all together solved this problem instantly:
dsquery group -limit 0 -name "<Group Name>" | dsget group -memberof | dsmod group -c -q -scope u
The above command first gets the full name of the group specified by the -name command. The output is sent to the dsget command to query what groups that group is a member of. The output of that command is sent to the dsmod command, which does the work of actually changing each of those groups into a security group:
- -c tells it to continue on error
- -q tells it to not print successful changes.
- -scope u instructs it to change the group’s scope to Universal.
Any errors will be printed to the console. Depending on how many levels of global groups there are you may have to run this command several times in order to convert the problematic groups to Universal scope.
Once that command finishes without error you can modify the group itself to be a universal group by simply omitting the middle dsget command:
dsquery group -limit 0 -name "<Group Name>" | dsmod group -c -q -scope u
After testing we are now ready to expand this to convert ALL Global security groups to be Universal in scope. If you would like a report of how many groups would be affected, run this command. It will output all groups from the query to the text file Groups.txt:
dsquery group -limit 0 | dsget group -samid -scope -secgrp > Groups.txt
To modify every group simply omit the “-name” parameter from the group command used above with our test group. This will iterate through every group in the directory and pass it on to dsmod which will modify the scope to be universal:
dsquery group -limit 0 | dsmod group -c -q -scope u
Some built-in groups can’t be converted due to their nature, so you will have to work around those (Domain Users being one example.) You will probably need to run the command a few times until no errors appear.