Recently I was working with someone who spent a bunch of time building Active Directory groups for a project I’m working on. After he was done, I noticed the groups he made were Global type groups (which is the default type in ADUC) instead of Domain Local type groups, which I needed for my project.
Instead of causing the person to panic, I told him we could turn to PowerShell to easily flip the type. However, there is one caveat… You cannot convert groups directly from Global to Domain Local, so they have to be converted to Universal first.
Fortunately for me, all these groups were in a single OU, and we could fix this with just a few simple commands. Just read along in the comments for explanations of each line.
# So before we begin to process groups, we set a variable to set your searchbase:
$MySearchBase = "ou=Groups,ou=ABC,dc=lab,dc=local"
# For our first step – we load up a variable with the groups we want (filtered by type):
$MyGroupList = get-adgroup -Filter 'GroupCategory -eq "Security" -and GroupScope -eq "Global"' -SearchBase "$MySearchBase"
# If you want to validate you got the correct groups in the variable, list out the names of your objects in the variable:
# Now, for every group in the list, we flip the type to Universal:
$MyGroupList | Set-ADGroup -GroupScope Universal
# Now for our second step – we re-load the variable:
$MyGroupList = get-adgroup -Filter 'GroupCategory -eq "Security" -and GroupScope -eq "Universal"' -SearchBase "$MySearchBase"
# Again, if you want to validate you got the correct groups, list them out:
# Finally, convert them from Universal to Domain Local:
$MyGroupList | Set-ADGroup -GroupScope DomainLocal
And of course, I thought it’d be great to pass it along in case it helps stop some panic in your world… Enjoy!