How to Convert Local and Global Groups to Universal Groups

Thursday, October 15, 2009
As you may know, Exchange Server 2007 and Exchange Server 2010 force you to create all new distribution groups as universal distribution groups.

The reason for this is that Exchange 2007/2010 requires a local Global Catalog (GC) server in the Active Directory site where Exchange resides to query for group expansion. A GC can expand domain local, global, and universal groups. However, domain local groups (and sometimes global groups) can only be expanded within the domain local scope. If the GC is a member of the companyabc.com domain, it will be unable to expand a domain local group in the sales.companyabc.com subdomain.

Universal groups can be used anywhere in the same Windows forest. A GC is able expand universal groups in any domain or subdomain in that forest, as long as the domain functional level (DFL) and forest functional level (FFL) are at least Windows Server 2003 Interim Level.

Obviously, the issue with group expansion only occurs in multi-domain "enterprise" environments, but Exchange 2007/2010 doesn't care. Distribution groups and mail-enabled security groups must still be universal groups, even in a single domain environment.
If you're moving from Exchange 2000/2003 to Exchange 2007 or Exchange 2010, you're going to want to convert all your domain local and global distribution and mail-enabled security groups to universal groups so they can be managed using the Exchange management tools.

You can change group types and group scope using Active Directory Users and Computers (ADUC), but you can only do one group at a time. When I first started writing this article I was convinced that Powershell was the best way to do this. But due to limitations in the way that Powershell accesses Active Directory, my scripts were getting quite large and complicated, even when using third party Powershell extensions like Quest's free ActiveRoles Management Shell for Active Directory. I started to look for other ways to perform bulk changes of distribution and security groups.

The most efficient way I found is to use the internal Windows dsquery and dsmod tools. These handy and oft-forgotten tools are installed with the operating system in Windows 2000 and later.

The following command will produce a list of all the groups in the domain and their scope (domain local, global, or universal) and whether the group is a security group. The output is redirected to the Groups.txt file:

This command can take a while to run if the domain contains a large number of groups. It took about a minute to process over 6,100 groups.
dsquery group -limit 0 | dsget group -samid -scope -secgrp > Groups.txt
The command to convert all domain local and global groups (both distribution and security groups) is:
dsquery group -limit 0 | dsmod group -c -q -scope u
The first part of this command uses dsquery to query AD for all groups and then pipes the collection to dsmod to convert each group to a universal group. The -c switch tells dsmod to output any errors and continue. The -q switch tells dsmod to run in quiet mode (suppress successful changes).

Note: Some groups cannot be converted to Universal groups. All of the Windows built-on groups are global and cannot be converted to a different group scope.

Also know that a global group cannot have a universal group as a member. When you see this error, it means that the group is a member of another group that cannot be converted to a universal group (for example, the built-in Account Operators group. Sometimes, this can be like chasing a rat down a hole. The groups may be so deeply nested that it's hard to find the group that is preventing the conversion.

Sometimes it helps to run the conversion command again. For example, dsmod may be unable to convert Group-A to a universal group because it contains the domain local group, Group-B. Later in the process, Group-B is converted from a local group to a universal group. If you run the conversion again, Group-A can now be converted.

Note: Exchange 2007 and Exchange 2010 will automatically convert universal distribution groups to universal security groups if the distribution group is used to apply security settings for a MAPI or Public Folder. My next article will cover this in more detail.

10 comments:

  1. Exchange query's a GC in the Windows site, not the Exchange site

    ReplyDelete
  2. I clarified the AD site terminology used in the article. Sorry if it was confusing before.

    ReplyDelete
  3. Thanks for this, it's really helpful. However, when I run the first dsquery command to list the groups, it errors out and doesn't list all my groups.

    Any ideas as to why?

    dsget failed:Directory object not found.

    ReplyDelete
  4. I can't imagine why, unless maybe you mistyped the command. Here it is again:

    dsquery group -limit 0 | dsget group -samid -scope -secgrp

    If it still fails, try just "dsquery group -limit 0" to see what the output looks like.

    ReplyDelete
  5. You will want to add the -c for the first command too. If not the command bombs if you have any errors with the only indication being the qty of output lines and the fact that it omits the "dsget succeeded" at the end. With -c you may see a few lines like: "dsget failed:Directory object not found."

    I am also going to filter the list & manually change the main top level ones first to avoid as many nesting errors as possible..... Nice article though - thanks :-)

    ReplyDelete
  6. Great info. Helped me understand the WHY behind the Universal group requirement and answered a question we had about why some of our DistGroups converted to UniversalSecurityGroups and some did not during our migration to 2010.

    ReplyDelete
  7. Thanks. Cant wait to try this. I have converted a few but automating the rest will make it so much easier. Just wondering what/if adverse effects it will have

    ReplyDelete
  8. Thanks much. I indeed had Global group with Universal groups as members and they were hard to track down. Finishing my migration from Exch2003 to 2010 and this helped a ton!

    ReplyDelete
  9. Thanks much! I indeed has some Global groups with Universal groups as members which were hard if not impossible to track down. Finishing a migration from Exch2003 to 2010 and this helped a ton!

    ReplyDelete
  10. HI .. I did the upgradation but still I have some global groups such as: domain users, domain admin, domain computers, domain controllers, domain guests and group policy creator owners which would not get upgraded to universal.
    Am i missing something here. I ran the commands as you mentioned. Also, if I want to migrate only selectively can I use a where clause some way? I tried but did not succeed.

    ReplyDelete

Thank you for your comment! It is my hope that you find the information here useful. Let others know if this post helped you out, or if you have a comment or further information.