locked
Convert Privileged Group scope from Universal to Global RRS feed

  • Question

  • Hello Team,

    Is there an option to convert domain privileged group, (Enterprise Admins & Schema Admins) from Universal to Global scope. Will that secure the privileged group in a Single domain forest.

    Thanks.

    Friday, October 30, 2020 10:56 AM

All replies

  • According to your description, we would like to know whether we could convert global group to domain local group. As Thameur mentioned, we could firstly convert global group to universal group, then convert to domain local group.

    As you said, it works when we try to convert a global group to universal group before changing it to domain local group. We could discuss with your manager about the impact when we change the group scope. We hope that there is no problem with the scope of the group so that your application works properly.

    For Global to universal, this conversion is allowed only if the group that you want to change is not a member of another global scope group (as long as it is not a member of any other global groups). For Universal to domain local, there are no restrictions for this operation.

    If our AD environment is complex, and the nesting relationship of this group is also complex, and this group is used in many domains in the forest, we recommend that we check these first, and then see if we can change the scope of the group.


    • Proposed as answer by KHURRAM RAHIM Friday, October 30, 2020 7:51 PM
    Friday, October 30, 2020 11:20 AM
  • Hello Team,

    Is there an option to convert domain privileged group, (Enterprise Admins & Schema Admins) from Universal to Global scope. Will that secure the privileged group in a Single domain forest.

    Thanks.

    Those are built in groups.  They can't be changed, with MIM or with anything else.  Using a separate forest with a PIM trust is probably the best way for you to manage those.  MIM PAM can work with that.
    Friday, November 20, 2020 2:14 PM