Recipe 7.6 Changing the Scope or Type of a Group
7.6.1 Problem
You want to change the
scope or type of a group.
7.6.2 Solution
7.6.2.1 Using a graphical user interface
Open the Active Directory
Users and Computers snap-in. If you need to change domains, right-click on Active Directory Users
and Computers in the left pane, select Connect to Domain, enter the
domain name, and click OK. In the left pane, right-click on the domain and select Find. Enter the name of the group you want to modify and click Find Now. Double-click on the group in the results pane. In the group properties dialog box, select the new scope or type and
click OK.
7.6.2.2 Using a command-line interface
The following example changes the group scope for
<GroupDN> to
<NewScope>, which should be
l for domain local group, g for
global group, or u for universal group.
> dsmod group "<GroupDN>" -scope <NewScope>
The following example changes the group type for
<GroupDN>. For the
-secgrp switch, specify yes to
change to a security group or no to make the group
a distribution list.
> dsmod group "<GroupDN>" -secgrp yes|no
7.6.2.3 Using VBScript
' This code sets the scope and type of the specified group
' to a universal security group.
' ------ SCRIPT CONFIGURATION ------
strGroupDN = "<GroupDN>" ' e.g. cn=SalesGroup,ou=Groups,dc=rallencorp,dc=com
' ------ END CONFIGURATION ---------
' Constants taken from ADS_GROUP_TYPE_ENUM
ADS_GROUP_TYPE_DOMAIN_LOCAL_GROUP = 1
ADS_GROUP_TYPE_GLOBAL_GROUP = 2
ADS_GROUP_TYPE_LOCAL_GROUP = 4
ADS_GROUP_TYPE_SECURITY_ENABLED = -2147483648
ADS_GROUP_TYPE_UNIVERSAL_GROUP = 8
set objGroup = GetObject("LDAP://" & strGroupDN )
objGroup.Put "groupType", ADS_GROUP_TYPE_UNIVERSAL_GROUP _
Or ADS_GROUP_TYPE_SECURITY_ENABLED
objGroup.SetInfo
7.6.3 Discussion
Group scope and type are stored as a flag in the
groupType attribute on group objects. To directly
update groupType, you must logically OR the values
associated with each type and scope, as shown in the API solution.
Note that there is no specific value for the distribution list type.
If you want to create a distribution list, just do not include the
ADS_GROUP_TYPE_SECURITY_ENABLED flag when setting
groupType.
|
For a good description of the usage scenarios for each group type,
see Chapter 11 in Active Directory, Second Edition.
|
|
7.6.4 See Also
MS KB 231273 (Group Type and Scope Usage in Windows), MSDN:
ADS_GROUP_TYPE_ENUM, and MSDN: What Type of Group to Use
|