none
Why domain local to global (and vice versa) not possible ? - Group Scope Transition

    Question

  • Hi ppl,

    I would like to know why domain local group can't be converted into global groups and vice versa. Please explain to help me understand better.

    Anand Kumar D

    This posting is provided "AS IS" with no warranties, and confers no rights.

    Monday, January 21, 2013 1:45 PM

Answers

  • The reasons are largely historical.  In NT 4.0 domains, you had global groups and local groups and could not convert between the two.  When Active Directory was introduced with Windows 2000, this mechanism was held since NT 4.0 BDCs (Backup Domain Controllers) could exist in an AD domain when the domain was in either Windows 2000 Mixed Mode and later Windows 2003 Interim Mode.  Universal groups could not exist when the AD domain was in either of these modes because NT 4.0 BDCs could not interpret them.  When moved to 2000 Native Mode or higher, Universal groups and Distribution groups could be used in the AD domain.  Because of the design of the AD Schema, it became possible to convert Global or Local groups to Universal groups, and the other way around (provided the pre-requisites are met).

    If you examine the attributes of the different types of Security groups, some of the reasoning becomes a bit more clear:

    Global
    groupType = 0x80000002 (ACCOUNT_GROUP | SECURITY_ENABLED)
    sAMAccountType = 268435456 (GROUP_OBJECT)

    Local
    groupType = 0x80000004 (RESOURCE_GROUP | SECURITY_ENABLED)
    sAMAccountType = 536870912 (ALIAS_OBJECT)

    Universal
    groupType = 0x80000008 (UNIVERSAL_GROUP | SECURITY_ENABLED)
    sAMAccountType = 268435456 (GROUP_OBJECT)

    That said, Microsoft has long recommended using the ADGLP model for RBAC in AD environments.  E.g., you place users in Global Groups, place Global Groups in Domain Local Groups, and assign permissions on objects to those Domain Local groups.  This makes sense if you examine the above attributes (Global - ACCOUNT_GROUP and GROUP_OBJECT, Local - RESOURCE_GROUP and ALIAS_OBJECT).  Some feel this security model is aging and true RBAC methods should be adopted but we aren't quite there yet in my opinion (Server 2012 is a step closer).  Anyway, the point is that if you find yourself converting groups in Active Directory, you probably have a design flaw in your group architecture.  I personally do not recommend converting between group types unless absolutely necessary.  In general, you should implement the groups correctly, migrate users and resources to the new group design, and destroy the old groups.

    • Marked as answer by ananddrox Wednesday, January 23, 2013 7:03 AM
    Tuesday, January 22, 2013 4:42 PM
  • Hi,

    Before going further, you’d better have a better understanding the definition of each group type.

    1. Domain Local Groups: These groups are only visible in their own domain. For that reason, domain Local Security groups can be used to grant rights and permissions only on resources that reside in the same domain where the domain local group is located. Domain local groups can contain domain local groups only from the same domain, but users, computers and all other group-types from the same domain and trusted domains (all domains in the forest). Use domain local groups for assigning permissions to resources in their home domain.

     

    CAN CONTAIN: Domain Local Groups from the own domain, Global Groups from trusted domains and any domain in the forest, Universal groups from trusted domains and any domain in the forest.

     

    2. Global Groups: These groups are visible through-out the forest, but can only contain accounts and global groups from the same domain. The group itself can be a member of universal and domain local groups in any domain, and global groups of its own domain. The groups should be used to organize users who share the same job tasks or department etc. You should not assign permissions directly to global groups – domain local groups are more appropriate for that.

     

    CAN CONTAIN: Global Groups from the OWN domain.

     

    3. Universal groups: These groups are visible through-out the forest and can contain accounts, global groups and other universal groups from any domain in the forest (they cannot contain domain local groups). Universal groups should be used to nest global groups. By doing that, the group can assign permissions to resources in multiple domains.

     

    CAN CONTAIN: Global Groups from any domain in the forest, Universal Groups from any domain in the forest.

    In addition, I suggest you could refer to the following article for detailed information about Group. Ace Fekay has provided the very detailed introduction about Group.  

    Using Group Nesting Strategy - AD Best Practices for Group Strategy

    http://msmvps.com/blogs/acefekay/archive/2012/01/06/using-group-nesting-strategy-ad-best-practices-for-group-strategy.aspx

    Hope this helps.

    Best Regards,

    Andy Qi


    Andy Qi
    TechNet Community Support

    Tuesday, January 22, 2013 9:34 AM
    Moderator

All replies

  • Changing group scope
    When you create a new group, by default the new group is configured as a security group with global scope, regardless of the current domain functional level. Although changing a group scope is not allowed in domains with a domain functional level of Windows 2000 mixed, the following conversions are allowed in domains with the domain functional level of Windows 2000 native or Windows Server 2003:

    • Global to universal. This conversion is allowed only if the group that you want to change is not a member of another global scope group.
    • Domain local to universal. This conversion is allowed only if the group that you want to change does not have another domain local group as a member.
    • Universal to global. This conversion is allowed only if the group that you want to change does not have another universal group as a member.
    • Universal to domain local. There are no restrictions for this operation.
    For more information, see Change group scope .

    HTH
    Biswajit Biswas
    My Blogs |MCC |TNWiki Ninja

    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin


    • Edited by bshwjt Monday, January 21, 2013 1:54 PM
    • Proposed as answer by Ace Fekay [MCT]MVP Monday, January 21, 2013 1:57 PM
    • Unproposed as answer by ananddrox Tuesday, January 22, 2013 6:21 AM
    Monday, January 21, 2013 1:53 PM
  • Hi,

    I saw that in http://technet.microsoft.com/en-us/library/cc755692(v=ws.10).aspx.

    But why not DLG->GG (or) GG->DLG possible ? Thats my question.

    Anand Kumar D

    This posting is provided "AS IS" with no warranties, and confers no rights.

    Monday, January 21, 2013 1:58 PM
  • Hi,

    Before going further, you’d better have a better understanding the definition of each group type.

    1. Domain Local Groups: These groups are only visible in their own domain. For that reason, domain Local Security groups can be used to grant rights and permissions only on resources that reside in the same domain where the domain local group is located. Domain local groups can contain domain local groups only from the same domain, but users, computers and all other group-types from the same domain and trusted domains (all domains in the forest). Use domain local groups for assigning permissions to resources in their home domain.

     

    CAN CONTAIN: Domain Local Groups from the own domain, Global Groups from trusted domains and any domain in the forest, Universal groups from trusted domains and any domain in the forest.

     

    2. Global Groups: These groups are visible through-out the forest, but can only contain accounts and global groups from the same domain. The group itself can be a member of universal and domain local groups in any domain, and global groups of its own domain. The groups should be used to organize users who share the same job tasks or department etc. You should not assign permissions directly to global groups – domain local groups are more appropriate for that.

     

    CAN CONTAIN: Global Groups from the OWN domain.

     

    3. Universal groups: These groups are visible through-out the forest and can contain accounts, global groups and other universal groups from any domain in the forest (they cannot contain domain local groups). Universal groups should be used to nest global groups. By doing that, the group can assign permissions to resources in multiple domains.

     

    CAN CONTAIN: Global Groups from any domain in the forest, Universal Groups from any domain in the forest.

    In addition, I suggest you could refer to the following article for detailed information about Group. Ace Fekay has provided the very detailed introduction about Group.  

    Using Group Nesting Strategy - AD Best Practices for Group Strategy

    http://msmvps.com/blogs/acefekay/archive/2012/01/06/using-group-nesting-strategy-ad-best-practices-for-group-strategy.aspx

    Hope this helps.

    Best Regards,

    Andy Qi


    Andy Qi
    TechNet Community Support

    Tuesday, January 22, 2013 9:34 AM
    Moderator
  • You have to covert from domain local to universal first, and then to global or global to universal and then to domain local.

    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

    Tuesday, January 22, 2013 10:09 AM
  • Hi,

    I would like to know why is it not possible. That will help me.

    Whats the reason the conversion is not possible ?

    Anand Kumar D

    This posting is provided "AS IS" with no warranties, and confers no rights.

    Tuesday, January 22, 2013 11:09 AM
  • This is by design. You can analyse the attribute.

    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin

    Tuesday, January 22, 2013 1:45 PM
  • Hi,

    I could not find avenue of analysis, that is why I popped up this question. Explanations and reasons and would help me understand better.

    Anand Kumar D

    This posting is provided "AS IS" with no warranties, and confers no rights.

    Tuesday, January 22, 2013 3:34 PM
  • The reasons are largely historical.  In NT 4.0 domains, you had global groups and local groups and could not convert between the two.  When Active Directory was introduced with Windows 2000, this mechanism was held since NT 4.0 BDCs (Backup Domain Controllers) could exist in an AD domain when the domain was in either Windows 2000 Mixed Mode and later Windows 2003 Interim Mode.  Universal groups could not exist when the AD domain was in either of these modes because NT 4.0 BDCs could not interpret them.  When moved to 2000 Native Mode or higher, Universal groups and Distribution groups could be used in the AD domain.  Because of the design of the AD Schema, it became possible to convert Global or Local groups to Universal groups, and the other way around (provided the pre-requisites are met).

    If you examine the attributes of the different types of Security groups, some of the reasoning becomes a bit more clear:

    Global
    groupType = 0x80000002 (ACCOUNT_GROUP | SECURITY_ENABLED)
    sAMAccountType = 268435456 (GROUP_OBJECT)

    Local
    groupType = 0x80000004 (RESOURCE_GROUP | SECURITY_ENABLED)
    sAMAccountType = 536870912 (ALIAS_OBJECT)

    Universal
    groupType = 0x80000008 (UNIVERSAL_GROUP | SECURITY_ENABLED)
    sAMAccountType = 268435456 (GROUP_OBJECT)

    That said, Microsoft has long recommended using the ADGLP model for RBAC in AD environments.  E.g., you place users in Global Groups, place Global Groups in Domain Local Groups, and assign permissions on objects to those Domain Local groups.  This makes sense if you examine the above attributes (Global - ACCOUNT_GROUP and GROUP_OBJECT, Local - RESOURCE_GROUP and ALIAS_OBJECT).  Some feel this security model is aging and true RBAC methods should be adopted but we aren't quite there yet in my opinion (Server 2012 is a step closer).  Anyway, the point is that if you find yourself converting groups in Active Directory, you probably have a design flaw in your group architecture.  I personally do not recommend converting between group types unless absolutely necessary.  In general, you should implement the groups correctly, migrate users and resources to the new group design, and destroy the old groups.

    • Marked as answer by ananddrox Wednesday, January 23, 2013 7:03 AM
    Tuesday, January 22, 2013 4:42 PM