Change Universal Security Group to Universal Distribution group in bulk


  • I have an old 2003 Domain with about 1000 distribution groups that need to be converted from Universal Security to Universal Distribution groups. I am trying to find a way of doing this via a script so I do not need to change each group individually. I'm hoping someone can point me in the direction of a command, script or program that will let me do this.

    Before anyone asks, no I cannot upgrade the domain out of 2003 for a variety of reasons. I do have ADWS so I am able to use powershell if needed. And yes, I know what changing the groups will do and none of these groups need to be security groups.

    Vincent Sprague

    mercoledì 13 giugno 2018 13:29

Tutte le risposte

  • You can simply use the dsmod command to change the group type

    You need to know the DistinguishedName of the group

    dsmod group "CN=MyGroup,OU=MyEnterpriseGroups,DC=MyDomain,DC=Com" -secgrp no

    This should convert your group to Distribution group.


    This posting is provided AS IS without warranty of any kind

    mercoledì 13 giugno 2018 16:41
  • Thank you, that works on an individual basis. Now I just need to figure out how to script that so it will do all the groups I need in one shot.

    Vincent Sprague

    giovedì 14 giugno 2018 13:22
  • i'm not a Powershell master but if your groups you want to modify are under the same OU, you could just run the following command to export all of them

    dsquery group "OU=My_OU,DC=MyDomain,DC=Com" > C:\Temp\My_Export_Groups.txt

    This will create a text file with all group DN's

    something like that:


    Then import it into Excel and create your scripts with Excel... it's a 3-4 minutes max to do that ;)


    This posting is provided AS IS without warranty of any kind

    giovedì 14 giugno 2018 13:29
  • I have over 1000 Distribution groups to change so I ended going with this:

    For AD ran this:
    Get-ADGroup -Filter {name -like "US_*"} -SearchBase "OU=US-DLs,OU=Distribution Lists,DC=domain,DC=local" | Set-ADGroup -GroupCategory Distribution

    For Exchange ran this:
    get-DistributionGroup -Identity US_* | set-distributiongroup -MemberDepartRestriction Closed

    Vincent Sprague

    giovedì 14 giugno 2018 14:44