none
Convert domain global group to local.

    Question

  • Hi,

    We need to convert a global group to local as we need to add users from other forest.

    The group is used by an application to give permissions.

    What's the implication of that conversion?, the SID remains the same.

    Thank you.

    Monday, April 09, 2012 3:16 PM

Answers

  • The conversion is only affecting the scope. Since SID is not changing the permission will remains same. Below descriptuion will explain the difference and scope of these groups.

    A domain local group is a security or distribution group that can contain universal groups, global groups, other domain local groups from its own domain, and accounts from any domain in the forest. You can give domain local security groups rights and permissions on resources that reside only in the same domain where the domain local group is located.

    A global group is a group that can be used in its own domain, in member servers and in workstations of the domain, and in trusting domains. In all those locations, you can give a global group rights and permissions and the global group can become a member of local groups. However, a global group can contain user accounts that are only from its own domain.

    A universal group is a security or distribution group that contains users, groups, and computers from any domain in its forest as members. You can give universal security groups rights and permissions on resources in any domain in the forest. Universal groups are not supported.


    Sajeed AM|+919846553328


    • Edited by Sajeed AM Monday, April 09, 2012 3:35 PM
    • Marked as answer by Bruce-Liu Wednesday, April 11, 2012 5:33 AM
    Monday, April 09, 2012 3:32 PM
  • Hello,

    Since the SID will remain the same, there should be no problems with permissions.

    You can convert your group to a universal one and then to a domain local one.

    Just make sure that there is no problem with the scope of the group so that your application works properly. (Like with Exchange Server 2010, it is recommended that groups for DLs will be universal ones).


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.   

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

    • Marked as answer by fedayn1 Monday, April 09, 2012 3:45 PM
    Monday, April 09, 2012 3:24 PM

All replies

  • Hello,

    Since the SID will remain the same, there should be no problems with permissions.

    You can convert your group to a universal one and then to a domain local one.

    Just make sure that there is no problem with the scope of the group so that your application works properly. (Like with Exchange Server 2010, it is recommended that groups for DLs will be universal ones).


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.   

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

    • Marked as answer by fedayn1 Monday, April 09, 2012 3:45 PM
    Monday, April 09, 2012 3:24 PM
  • What does the change from global to local imply?
    Monday, April 09, 2012 3:28 PM
  • The conversion is only affecting the scope. Since SID is not changing the permission will remains same. Below descriptuion will explain the difference and scope of these groups.

    A domain local group is a security or distribution group that can contain universal groups, global groups, other domain local groups from its own domain, and accounts from any domain in the forest. You can give domain local security groups rights and permissions on resources that reside only in the same domain where the domain local group is located.

    A global group is a group that can be used in its own domain, in member servers and in workstations of the domain, and in trusting domains. In all those locations, you can give a global group rights and permissions and the global group can become a member of local groups. However, a global group can contain user accounts that are only from its own domain.

    A universal group is a security or distribution group that contains users, groups, and computers from any domain in its forest as members. You can give universal security groups rights and permissions on resources in any domain in the forest. Universal groups are not supported.


    Sajeed AM|+919846553328


    • Edited by Sajeed AM Monday, April 09, 2012 3:35 PM
    • Marked as answer by Bruce-Liu Wednesday, April 11, 2012 5:33 AM
    Monday, April 09, 2012 3:32 PM
  • What does the change from global to local imply?

    Hello again,

    it is just a change of the scope. More information here: http://technet.microsoft.com/en-us/library/cc755692%28v=ws.10%29.aspx


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.   

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

    Monday, April 09, 2012 3:40 PM
  • Global groups (assuming native mode):

    1. Membership can include users and global groups in the same domain.
    2. Can be member of univeral and domain local groups in any domain, and global groups in the same domain.
    3. Visible in all domains in the forest (all trusted domains).
    4. Can be assigned permissions for all domains in the forest.

    Domain local groups:

    1. Membership can include users, global groups, and universal groups from any domain in the forest, and domain local groups from the same domain.
    2. Can be member of domain local groups in the same domain.
    3. Visible only in its own domain.
    4. Can be assigned permissions for the domain in which the domain local group exists.

    So, when you convert from global to domain local, membership is not affected, but the group itself can no longer be a member of any groups other than domain local groups in the same domain. Also, the group can no longer be used to assign permissions in other domains.


    Richard Mueller - MVP Directory Services

    Monday, April 09, 2012 3:46 PM