Categories

Converting group scope–to Universal

We’ve seen how to create the different group type – but we may create a group as a global group and need to change it to a another. This isn’t a free range change process:

  • Universal and Domain Local can be converted to the other
  • Universal and Global can be converted to the other
  • There is no direct conversion from Global to Domain Local or vice versa
  • You can’t convert a group that has nested groups  that wouldn’t be allowed in the new group type

I decide to do three functions – one to convert to each type of group. I’m only considering security groups because all distribution lists in Exchange 2007 and above have to be Universal.

To convert security groups to Universal

## converts a security group to a Universal group            
function ConvertTo-UniversalSecurityGroup {            
[CmdletBinding(SupportsShouldProcess=$true)]             
param (             
 [string]$groupname,            
             
 [ValidateSet("M", "P", "Q", "S")]            
 [string]$type = "S"            
             
)            
            
$root = [ADSI]""            
$search = [adsisearcher]$root            
$search.Filter = "(&(objectclass=group)(cn=$groupname))"            
$search.SizeLimit = 3000            
$search.PropertiesToLoad.Add("groupType") | Out-Null            
$search.PropertiesToLoad.Add("distinguishedName") | Out-Null            
$result = $search.FindOne()             
$grouptype = $result.Properties.grouptype            
$dn = $result.Properties.distinguishedname            
            
switch($grouptype){            
   2  {Throw "Not Security Group"}            
   4  {Throw "Not Security Group"}            
   8  {Throw "Not Security Group"}            
   -2147483646  {            
         Write-Warning "Converting Global group $groupname to Universal group"            
       }            
   -2147483644  {            
         Write-Warning "Converting Domain Local group $groupname to Universal group"            
      }            
   -2147483643   {            
         Throw "Builtin Local group - cannot change"            
       }            
   -2147483640  {            
         Throw "Universal - cannot change"            
      }             
  default {Throw "Error - Unrecognised group type"}            
}            
            
switch ($type) {            
#Microsoft            
"M"  {              
       Set-ADGroup -Identity $groupname -GroupScope Universal            
            
     }            
#AD provider            
"P" {            
      Set-ItemProperty -Path Ad:\"$dn" -Name GroupType -Value -2147483640 -Force            
            
    }             
#Quest            
"Q" {            
      Set-QADGroup  -Identity $groupname -GroupScope "Universal"             
    }            
#Script            
"S" {            
$group = [adsi]"LDAP://$dn"            
$group.GroupType = -2147483640            
$group.SetInfo()            
}            
            
default {Write-Host "Error!!! Should not be here" }                 
} ## end of type switch            
#>            
}  ## end of function


I’ve use ConvertTo as the verb as its legal PowerShell.



The group name and what type of script you want are the only parameters. The group type is checked and the conversion is either rejected or a warning message printed. The values used to check group type are pre-calculated – see http://msmvps.com/blogs/richardsiddaway/archive/2012/03/09/get-all-groups.aspx



The default script type is script.



The relevant script type is run – The syntax for these commands should be clear from previous examples

Leave a Reply