How to change Active Directory Group Scope

Active Directory (AD) groups are essential for managing permissions and access within an organization’s IT environment. The group scope defines how permissions and memberships are applied and propagated across domains and forests. There are three types of group scopes: Universal, Global, and Domain Local. Each has its own characteristics and use cases. This guide will walk you through the process of changing the scope of an Active Directory group, explaining the reasons for scope changes and the limitations involved.

Here are other related guides: How to Create Service Accounts, Organisation Units and Active Directory Security Groups, Create New Users and Join Synology NAS to Active Directory, Change Active Directory Domain name from dot local to dot com, and Grant Non-Domain Admin Privileges to Manage Workstation.

Why Change Group Scope?

Changing the scope of an AD group can be necessary for various reasons:

Organizational Restructuring: As organizations grow or reorganize, their security and resource management needs evolve. Changing group scopes can help align with new administrative boundaries and access requirements.

Cross-Domain Collaboration: To facilitate access across multiple domains within a forest or across trusted forests, adjusting the group scope can simplify administration and enhance security.

Optimization of Replication: The AD infrastructure replicates certain group scopes differently. Changing the scope can optimize replication traffic and performance.

Please see “Configuring DHCP Scope: Post-deployment of Dynamic Host Configuration Protocol, Comprehensive Guide to Install DHCP Server on Windows Server, and how to Update Global Address List: Recognition Error.

Understanding Group Scopes

Before diving into the steps for changing group scopes, it’s essential to understand the three types of scopes:

Universal Groups: Can contain users, global groups, and other universal groups from any domain in the forest. Ideal for applying permissions across the entire forest.

Global Groups: Can contain users and other global groups from the same domain. They are typically used for organizing users within a domain.

Domain Local Groups: Can contain users, global groups, and universal groups from any domain, as well as other domain local groups from the same domain. These are used to grant permissions to resources within the same domain.

Also, see “Configuring DHCP Scope: Post-deployment of Dynamic Host Configuration Protocol, and learn more on “Universal, Global, and Domain Local Group Scopes Differences

Why Can’t We Change from Global to Domain Local on the Fly?

Active Directory enforces certain rules to maintain integrity and consistency in its structure:

Replication and Membership: Global groups replicate differently compared to domain local groups. Allowing an on-the-fly change could disrupt replication processes and result in inconsistent group memberships across domain controllers.

Security Boundaries: Global groups can only contain members from the same domain, whereas domain local groups can include members from multiple domains. Instant changes in scope could violate these security boundaries and lead to access control issues.

Infrastructure Impact: Changing group scopes significantly modifies how you handle permissions and memberships. Ensuring these changes do not negatively impact the infrastructure requires a controlled and deliberate process.

Prerequisites

Ensure you have appropriate administrative privileges.
Verify that the group does not contain members that violate the target scope’s rules.
If changing to a universal group, the forest must be in native mode.

Steps to Change Group Scope

Using Active Directory Users and Computers (ADUC)

Press Win + R, type dsa.msc, and press Enter to open the Active Directory Users and Computer

*Open active directory users and computers*

Navigate to the organizational unit (OU) or container where the group is located.

Right-click the group and select Properties.

Go to the Group Scope section in the General tab. By default, the group scope is set to “Global,” with “Domain Local” greyed out and “Universal” available.

To change the group scope to Domain Local, you will first need to select Universal and click Apply.

This makes the Domain Local option available. Now you can select the Domain Local group scope.

Click Apply and then OK.

Using PowerShell

PowerShell provides a more streamlined approach for administrators who need to make changes across multiple groups.

Right-click on the Start menu and select Windows PowerShell (Admin).

To change a Domain Local group to a Global group, you must first convert it to a Universal group. Use the following command to change the group scope. Replace <HR> with the name of your group.

Get-ADGroup -Identity HR | Set-ADGroup -GroupScope Universal
Get-ADGroup -Identity HR | Set-ADGroup -GroupScope Global

Confirm the change by using the Get-ADGroup cmdlet.

Get-ADGroup -Identity HR

FAQs

How can I determine the OU a device longs to in Active Directory (AD)?

You can use Active Directory Users and Computers, then the search feature to find the device by its computer name. Right-click the device and select Properties. In the Object tab (or general info), you can see the distinguished name (DN) or check where the device is located in the OU structure.

If this does not produce the desired result, please PowerShell and ensure you have the Import-Module ActiveDirectory imported or RSAT installed. Then use the command below for DistinguishedName:

Get-ADComputer -Identity "TechDA04" | Select-Object Name, DistinguishedName

determin device OU

With With Get-ADComputer, use the command below

Get-ADComputer -Identity "TechDA04" -Properties CanonicalName | Select-Object Name, CanonicalName

Note: You can also use LDAP query tools by launching the Open ADSI Edit, connect to the Default naming context. Search for the computer by its CN or sAMAccountName. The distinguishedName attribute reveals the OU.

To do this via the command line, run the command below

dsquery computer -name "TechDA04"

How can I find the OU of a device if I only have its IP address?

You first need to find the device’s hostname via reverse DNS or network tools, then use that hostname to search AD with PowerShell or ADUC.

Can I find the OU of a device remotely without admin rights?

Usually, you need at least read permissions in AD to query device objects. Without permissions, you cannot reliably find OU info remotely.

What does the DistinguishedName tell me about the OU?

The DistinguishedName shows the full LDAP path of the object, including all parent OUs. The OU components start with OU=, so you can trace exactly where the device resides in the AD hierarchy

Can I also move a device to another OU via PowerShell?

Yes, you can use the Move-ADObject cmdlet a shown below

Move-ADObject -Identity “CN=TechDA04,OU=OldOU,DC=techda,DC=com” -TargetPath “OU=NewOU,DC=techda,DC=com”

Conclusion

Changing the scope of an Active Directory group is a powerful administrative task that can help align your organization’s security and resource management with evolving needs. Understanding the reasons behind scope changes and the limitations involved ensures a smooth and effective transition.

Whether using the ADUC GUI or PowerShell, following a structured approach minimizes risks and maintains the integrity of your AD environment.

I hope you found this article useful on “How to change Active Directory Group Scope”. Please feel free to leave a comment below.