Convert Global to Universal Security Group with PowerShell

We like to convert Global to Universal Security Group with PowerShell. Why with PowerShell? It’s because we have to convert more than a hundred groups. It will take hours of work if we are going to do it with Active Directory Users and Computers (ADUC). In this article, you will learn how to convert Global to Universal Security Group with PowerShell.

Table of contents

Active Directory group types

When creating a new group in the organization with ADUC, we have Group scope and Group type.

Convert Global to Universal Security Group with Powershell ADUC

Active Directory group scope

There are three group scopes that we can select:

  • Domain local groups: Used to assign permissions for access to resources.
  • Global groups: Used to organize users who share similar network access requirements.
  • Universal groups: Used to assign permissions to related resources in multiple domains.

Active Directory group type

There are two group types:

  • Security groups: Used to control access to resources. Security groups can also be used as email distribution lists.
  • Distribution groups: Can be used only for email distribution lists, or simple administrative groupings. Distribution groups cannot be used for access control because they are not security enabled.

Now that we have a bit of understanding about the group scope and group type, let’s start converting.

Convert Global to Universal Security group

We are going to get the information from one single group named Data. Run PowerShell as administrator.

Note: In ADUC it’s named Group scope and Group type. In PowerShell it’s named Group scope and Group category.

PS C:\> Get-AdGroup "Data" | ft Name, GroupScope, GroupCategory

Name GroupScope GroupCategory
---- ---------- -------------
Data     Global  Distribution

Change the group scope to Universal and the group type to Security. After that, we will check if it’s converted successfully.

PS C:\> Get-AdGroup "Data" | Set-ADGroup -GroupScope Universal -GroupCategory Security

PS C:\> Get-AdGroup "Data" | ft Name, GroupScope, GroupCategory

Name GroupScope GroupCategory
---- ---------- -------------
Data  Universal      Security

Converting Global Distrubition group to Universal Security group went great. What if we have more than a hundred groups that we need to convert from Global to Universal Security group?

Bulk convert Global to Universal Security group

We have an Organizational Unit (OU) named Mailbox with all the groups that we like to convert to Universal Security group. Find the distinguished name in AD. We need to insert that in the PowerShell command.

Start Active Directory Users and Computers. Enable Advanced Features.

Convert Global to Universal Security Group with Powershell ADUC Advanced Features

Right-click the Organizational Unit with the groups that you like to convert. Click Properties.

Convert Global to Universal Security Group with Powershell OU Properties

Click the Attribute Editor tab. Find the attribute distinguishedName and copy its value.

Convert Global to Universal Security Group with Powershell Attribute Editor DistinguishedName

List all the groups in the OU Mailbox.

PS C:\> Get-ADGroup -SearchBase "OU=Mailbox,OU=Groups,OU=Company,DC=exoip,DC=local" -filter * | Sort Name | Select-Object Name, GroupScope, GroupCategory

Name                 GroupScope GroupCategory
----                 ---------- -------------
All Staff                Global      Security
Data                  Universal      Security
Finance               Universal  Distribution
HR                    Universal  Distribution
IT Admins                Global  Distribution
Management            Universal  Distribution
Payroll Team             Global  Distribution
Payroll Team Leaders     Global  Distribution
Sales                    Global  Distribution

Create a temp folder on the C:\. Export the output to CSV and sort it on Name. This comes in handy if you want to send a list with the details. The name of the CSV will be Mailbox_Groups.csv.

PS C:\> Get-ADGroup -SearchBase "OU=Mailbox,OU=Groups,OU=Company,DC=exoip,DC=local" -Filter * | Sort Name | Select-Object Name, GroupScope, GroupCategory | Export-Csv -Path "C:\temp\Mailbox_Groups.csv" -NoTypeInformation

Bulk convert all groups in OU Mailbox to group scope Universal. After that, check if the Group Scope is showing as Universal.

PS C:\> Get-ADGroup -SearchBase "OU=Mailbox,OU=Groups,OU=Company,DC=exoip,DC=local" -filter * | Set-ADGroup -GroupScope Universal

PS C:\> Get-ADGroup -SearchBase "OU=Mailbox,OU=Groups,OU=Company,DC=exoip,DC=local" -filter * | Sort Name | Select-Object Name, GroupScope, GroupCategory

Name                 GroupScope GroupCategory
----                 ---------- -------------
All Staff             Universal      Security
Data                  Universal      Security
Finance               Universal  Distribution
HR                    Universal  Distribution
IT Admins             Universal  Distribution
Management            Universal  Distribution
Payroll Team          Universal  Distribution
Payroll Team Leaders  Universal  Distribution
Sales                 Universal  Distribution

Do the same, but this time bulk convert all groups in OU Mailbox to group type Security. When done, check if the group type is showing as Security.

PS C:\> Get-ADGroup -SearchBase "OU=Mailbox,OU=Groups,OU=Company,DC=exoip,DC=local" -filter * | Set-ADGroup -GroupCategory Security

PS C:\> Get-ADGroup -SearchBase "OU=Mailbox,OU=Groups,OU=Company,DC=exoip,DC=local" -filter * | Sort Name | Select-Object Name, GroupScope, GroupCategory

Name                 GroupScope GroupCategory
----                 ---------- -------------
All Staff             Universal      Security
Data                  Universal      Security
Finance               Universal      Security
HR                    Universal      Security
IT Admins             Universal      Security
Management            Universal      Security
Payroll Team          Universal      Security
Payroll Team Leaders  Universal      Security
Sales                 Universal      Security

We can run both the above commands in one single command. This will bulk convert the groups in OU to group scope Universal and group type Security.

PS C:\> Get-ADGroup -SearchBase "OU=Mailbox,OU=Groups,OU=Company,DC=exoip,DC=local" -filter * | Set-ADGroup -GroupScope Universal -GroupCategory Security

Conclusion

You learned how to convert Global to Universal Security Group with PowerShell. It’s just a couple of minutes work if we convert groups with PowerShell. We can convert one group only or we can do all the groups in bulk. Microsoft did write documentation regarding the Active Directory Security Groups. Did you enjoy this article? You may also like to read MSExchange ActiveSync 1023 warning. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

X TwitterLinkedIn

What Others Are Reading

This Post Has 2 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *