header image

Converting group scope – to domain local

Posted by: | March 10, 2012 | No Comment |

The final version to convert to a domain local shouldn’t hold any surprises

## converts a security group to a Domain Local group            
function ConvertTo-DomainLocalSecurityGroup {            
[CmdletBinding(SupportsShouldProcess=$true)]             
param (             
 [string]$groupname,            
             
 [ValidateSet("M", "P", "Q", "S")]            
 [string]$type = "S"            
             
)            
            
$root = [ADSI]""            
$search = [adsisearcher]$root            
$search.Filter = "(&(objectclass=group)(cn=$groupname))"            
$search.SizeLimit = 3000            
$search.PropertiesToLoad.Add("groupType") | Out-Null            
$search.PropertiesToLoad.Add("distinguishedName") | Out-Null            
$result = $search.FindOne()             
$grouptype = $result.Properties.grouptype            
$dn = $result.Properties.distinguishedname            
            
switch($grouptype){            
   2  {Throw "Not Security Group"}            
   4  {Throw "Not Security Group"}            
   8  {Throw "Not Security Group"}            
   -2147483646  {            
        Write-Warning "Converting Global group $groupname to Domain Local group"            
       }            
   -2147483644  {            
         Throw "Domain Local - cannot change"            
       }            
   -2147483643   {            
         Throw "Builtin Local group - cannot change"            
       }            
   -2147483640  {            
         Write-Warning "Converting Universal group $groupname to Domain Local group"            
      }             
  default {Throw "Error - Unrecognised group type"}            
}            
            
switch ($type) {            
#Microsoft            
"M"  {              
       if ($grouptype -eq -2147483646 ){            
         Set-ADGroup -Identity $groupname -GroupScope Universal            
       }            
       Set-ADGroup -Identity $groupname -GroupScope DomainLocal            
            
     }            
#AD provider            
"P" {            
      if ($grouptype -eq -2147483646){            
        Set-ItemProperty -Path Ad:\"$dn" -Name GroupType -Value -2147483640 -Force            
      }            
      Set-ItemProperty -Path Ad:\"$dn" -Name GroupType -Value -2147483644  -Force            
            
    }             
#Quest            
"Q" {            
      if ($grouptype -eq -2147483646){            
        Set-QADGroup -Identity $groupname -GroupScope "Universal"            
      }            
      Set-QADGroup  -Identity $groupname -GroupScope "DomainLocal"             
    }            
#Script            
"S" {            
$group = [adsi]"LDAP://$dn"            
            
if ($grouptype -eq -2147483646){            
 $group.GroupType = -2147483640  ## universal            
 $group.SetInfo()            
}            
$group.GroupType = -2147483644             
$group.SetInfo()            
}            
            
default {Write-Host "Error!!! Should not be here" }                 
} ## end of type switch            
#>            
}  ## end of function

The difference to the previous post is that we test for global & convert to Universal before the conversion to Domain Local

These functions are all used in the same way – supply a group name and the type of script you want to run

ConvertTo-DomainLocalSecurityGroup -groupname testg9                       
ConvertTo-DomainLocalSecurityGroup -groupname testg8 -type S               
ConvertTo-DomainLocalSecurityGroup -groupname testg7 -type Q               
ConvertTo-DomainLocalSecurityGroup -groupname testg6 -type P

ConvertTo-DomainLocalSecurityGroup -groupname testg5 -type M      

under: PowerShell and Active Directory
«
»