none
Powershell: changing GroupScope from Local to Universal of Nested Security AD Groups? RRS feed

  • Question

  • Good morning everybody,

    Is there a way to switch the GroupScope to "Universal" for (many) *nested* Local AD Groups?

    I tried to find some information, but I'm always redirected to script that are getting Memberships from nested groups and not setting anything. Or I found the contrary: from Universal to Local (not my issue).

    Do you have any suggestion?

    (The real request was to change 8 of some hundreds AD Groups from Local to Universal scope. Obviously that won't work, but I still have an issue if I have to change them all to Universal. I guess that depends on the order in which you are changing the scope: you should proceed with the nested order - something like "from the container to the contained ones and down all the line", in order to have Local AD Groups nested in already changed Local to Universal AD Groups... Wondering if there's some quick way to do this...)


    Thank you very much in advance for your support (even if you cannot solve my issue).

    Kind regards,

    Andrea

    Thursday, December 13, 2018 2:51 PM

All replies

  • A domain local group can be converted to universal, as long as it is not a member of another domain local group.

    Edit: The Set-ADGroup PowerShell cmdlet has the -GroupScope parameter, that allows you to change the scope (subject to restrictions like I noted). You could code a script to do this in bulk, but it should check for this restriction. You probably need to check all groups the domain local group is a member of to see if they are domain local. The Get-ADGroup cmdlet can check. Links:

    https://docs.microsoft.com/en-us/powershell/module/activedirectory/set-adgroup?view=winserver2012-ps

    The Get-ADGroup cmdlet can filter on all domain local groups. It supports the GroupScope property, so it can check if a group is domain local.

    https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-adgroup?view=winserver2012-ps

    Obviously, such a script would need to be tested before updating lots of groups.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)




    Thursday, December 13, 2018 3:07 PM
    Moderator
  • A quick outline for a possible script:

    1. Use Get-ADGroup to retrieve all domain local groups (-Filter {GroupScope -eq "DomainLocal"}). Retrieve -Property MemberOf.
    2. For each domain local group, enumerate the MemberOf array (array of group DNs the group is a member of).
    3. For each MemberOf DN, use Get-ADGroup to retrive the GroupScope property, and check if that group is domain local.
    4. If any MemberOf group is domain local, log or output, but skip the group.
    5. If all the MemberOf groups are not domain local, use Set-ADGroup to change the scope of the domain local group to universal.

    Edit: Or, instead of step 1, have a list of domain local groups (distinguished names or sAMAccountNames) and enumerate that in step 2.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)


    Thursday, December 13, 2018 3:50 PM
    Moderator
  • Dear Richard, 

    thank you very much for your quick feedback. Let's see if I understand your "possible script".

    I've already done a little script this very morning that's picking up a list of Security AD Groups from a .csv and change all their -GroupScope property to the scope I tell it to use (Local, Global or Universal). Tested, it works fine.

    Until I found out that I have hundreds of *nested* groups (up to 5 or more levels... or down, whatever! - Who did this should be put to jail! LOL!). They're *all* "Local" domain. So, when I ran my script Powershell asked me: "Are you kidding me?!" (for the obvious restriction you were mentioning). So I told them that we have to change them all. Now I'm wondering if that wasn't a bold answer, as I'm stuck.

    I thought the issue is that I don't have a hierarchy, so I'm not changing them to Universal from the deepest level of "nesting" (sorry for my English!) and going up, to the highest one (the original group from where all they are "descending" in the MemberOf). I don't know if it's a wrong thought. Anyway, am I understanding well or are you suggesting to loop until all the MemberOf are switched to Universal? Or are you saying that it cannot be done?

    Kind regards,

    Andrea

    Thursday, December 13, 2018 5:38 PM
  • I had not considered the nesting like you describe. To convert all to universal, you would need to start at the top of each hierarchy. First convert all domain local groups that are not members of any domain local groups (even due to nesting). Then repeat the process, until all are converted. Each time this is repeated there could be more groups that can be converted. I have think about this.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Thursday, December 13, 2018 6:17 PM
    Moderator
  • I came up with the script below. You can test by commenting out the Set-ADGroup statement, or adding the -WhatIf parameter. But the script will then repeatedly list groups it would convert until the hash table is empty. This is because the statement to retrieve the remaining domain local security groups will retrieve the same groups each time, since none get converted in the test. But you can see if there are other errors.

    # Hash table of domain local security groups.
    # The key is the DN of the group, the value is not used.
    $DomLocGrps = @{}
    
    # Retrieve all domain local security groups.
    $Groups = (Get-ADGroup -Filter {(GroupScope -eq "DomainLocal") -And (GroupCategory -eq "Security")}).distinguishedName
    ForEach ($Group In $Groups)
    {
        # Add the group DN to the hash table.
        $DomLocGrps.Add($Group.distinguishedName, $True)
    }
    
    Do
    {
        # Retrieve all domain local security groups.
        # After each iteration there should be fewer domain local groups.
        $Groups = (Get-ADGroup -Filter {(GroupScope -eq "DomainLocal") -And (GroupCategory -eq "Security")}).distinguishedName
    
        # Check recursive group membership of each domain local group.
        ForEach ($Group In $Groups)
        {
            $GrpDN = $Group.distinguishedName
            # Recursively find all groups this group is a member of.
            $Grps = Get-ADGroup -LDAPFilter "(member:1.2.840.113556.1.4.1941:=$GrpDN)"
            $OK = $True
            :MyLoop ForEach ($Grp In $Grps)
            {
                If ($DomLocGrps.ContainsKey($Grp))
                {
                    # This group is a member of a domain local group. It cannot be converted yet.
                    $OK = $False
                    Break MyLoop
                }
            }
            If ($OK)
            {
                # Convert this domain local group to universal.
                Set-ADGroup -Identity $GrpDN -GroupScope "Universal"
                # Remove this group from the hash table.
                $DomLocGrps.Remove($GrpDN)
                "Converted Group: $GrpDN"
            }
        }
    } Until ($DomLocGrps.Count -eq 0)



    Richard Mueller - MVP Enterprise Mobility (Identity and Access)


    Thursday, December 13, 2018 7:32 PM
    Moderator
  • Thank you very much, Richard!

    I'm going to test this for sure. I have to narrow down, because it's just a local site (I'm working for a big Company - more than 100k Employees) and the issue is just in one OU of one of the sites. So, I cannot pick up all the "AM" Domain. And the worst thing is that I have to pay attention: we have many applications (even web ones) running there and changing the GroupScope can alter something and things stop to work. So, delicate...

    (My opinion is that we should built again the Security in a correct way and once everything's set up, remove the old "Local" AD Groups. For that I need a clear situation of the Security hierarchy, in fact I'm using a function to built a "tree like" report and see what's inside the box. (Not a present!)

    When I have some real/useful result, I'll come back here to report.

    Kind regards,

    Andrea


    • Edited by Negrore Friday, December 14, 2018 9:15 AM Better English
    Friday, December 14, 2018 9:14 AM