DekGenius.com
[ Team LiB ] Previous Section Next Section

Recipe 7.6 Changing the Scope or Type of a Group

7.6.1 Problem

You want to change the scope or type of a group.

7.6.2 Solution

7.6.2.1 Using a graphical user interface
  1. Open the Active Directory Users and Computers snap-in.

  2. If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select Connect to Domain, enter the domain name, and click OK.

  3. In the left pane, right-click on the domain and select Find.

  4. Enter the name of the group you want to modify and click Find Now.

  5. Double-click on the group in the results pane.

  6. In the group properties dialog box, select the new scope or type and click OK.

7.6.2.2 Using a command-line interface

The following example changes the group scope for <GroupDN> to <NewScope>, which should be l for domain local group, g for global group, or u for universal group.

> dsmod group "<GroupDN>" -scope <NewScope>

The following example changes the group type for <GroupDN>. For the -secgrp switch, specify yes to change to a security group or no to make the group a distribution list.

> dsmod group "<GroupDN>" -secgrp yes|no
7.6.2.3 Using VBScript
' This code sets the scope and type of the specified group 
' to a universal security group.
' ------ SCRIPT CONFIGURATION ------
strGroupDN = "<GroupDN>"  ' e.g. cn=SalesGroup,ou=Groups,dc=rallencorp,dc=com
' ------ END CONFIGURATION ---------

' Constants taken from ADS_GROUP_TYPE_ENUM
ADS_GROUP_TYPE_DOMAIN_LOCAL_GROUP = 1
ADS_GROUP_TYPE_GLOBAL_GROUP       = 2
ADS_GROUP_TYPE_LOCAL_GROUP        = 4
ADS_GROUP_TYPE_SECURITY_ENABLED   = -2147483648
ADS_GROUP_TYPE_UNIVERSAL_GROUP    = 8

set objGroup = GetObject("LDAP://" & strGroupDN )
objGroup.Put "groupType", ADS_GROUP_TYPE_UNIVERSAL_GROUP _
                       Or ADS_GROUP_TYPE_SECURITY_ENABLED
objGroup.SetInfo

7.6.3 Discussion

Group scope and type are stored as a flag in the groupType attribute on group objects. To directly update groupType, you must logically OR the values associated with each type and scope, as shown in the API solution. Note that there is no specific value for the distribution list type. If you want to create a distribution list, just do not include the ADS_GROUP_TYPE_SECURITY_ENABLED flag when setting groupType.

For a good description of the usage scenarios for each group type, see Chapter 11 in Active Directory, Second Edition.

7.6.4 See Also

MS KB 231273 (Group Type and Scope Usage in Windows), MSDN: ADS_GROUP_TYPE_ENUM, and MSDN: What Type of Group to Use

    [ Team LiB ] Previous Section Next Section