Submit a ticketCall us

whitepaperYour VM Perplexities Called, and They Need You to Read This.

Virtualization can give you enormous flexibility with future workloads and can be a key enabler for other areas, like cloud computing and disaster recovery. So, how can you get a handle on the performance challenges in your virtual environment and manage deployments without erasing the potential upside? Learn the four key areas you need to be focusing on to help deliver a healthy and well-performing data center.

Get your free white paper.

Home > Success Center > Access Rights Manager (ARM) formerly 8MAN > ARM - Knowledgebase Articles > PowerShell script for changing Active Directory group type

PowerShell script for changing Active Directory group type

Updated November 19, 2018

Overview

This article contains a sample script that you can use to change the Active Directory group type. This is needed if you want to change the strategy of the Group Wizard.

Environment

  • Access Rights Manager

Cause

 

Resolution

This script example changes group type from DomainLocal to Global. To change the group type from Global to DomainLocal, you need to adjust the script accordingly. To change the group type to Universal, the script must be shortened. 

Change group type from DomainLocal to Global

  1. Before starting the process, set a variable for your search base:
        $MySearchBase = "ou=8MAN,dc=8man-demo,dc=local"
  2. Load a variable with the groups you wish to include, filtered by type. If the existing groups are DomainLocal:
        $MyGroupList = get-adgroup -Filter 'GroupCategory -eq "Security" -and GroupScope -eq "DomainLocal"' -SearchBase "$MySearchBase"
  3. Validate that the correct groups are included in the variable by listing the names of objects in the variable:
        $ MyGroupList.name
  4. For every group in the list, change the type to Universal:
        $ MyGroupList | Set-ADGroup -GroupScope Universal
  5. Re-load the variable:
        $MyGroupList = get-adgroup -Filter 'GroupCategory -eq "Security" -and GroupScope -eq "Universal"' -SearchBase "$MySearchBase"
  6. Again, validate that the correct groups are included in the variable:
        $ MyGroupList.name
  7. Change the group type from Universal to Global:
        $ MyGroupList | Set-ADGroup -GroupScope Global

Change group type from Global to DomainLocal

  1. Before starting the process, set a variable for your search base:
    $MySearchBase = "ou=8MAN,dc=8man-demo,dc=local"
  2. Load a variable with the groups you wish to include, filtered by type. If the existing groups are Global:
        $MyGroupList = get-adgroup -Filter 'GroupCategory -eq "Security" -and GroupScope -eq "Global"' -SearchBase "$MySearchBase"
  3. Validate that the correct groups are included in the variable by listing the names of objects in the variable:
        $ MyGroupList.name
  4. For every group in the list, change the type to Universal:
        $ MyGroupList | Set-ADGroup -GroupScope Universal
  5. Re-load the variable:
        $MyGroupList = get-adgroup -Filter 'GroupCategory -eq "Security" -and GroupScope -eq "Universal"' -SearchBase "$MySearchBase"
  6. Again, validate that the correct groups are included in the variable:
        $ MyGroupList.name
  7. Change the group type from Universal to DomainLocal:
        $MyGroupList | Set-ADGroup -GroupScope DomainLocal

Change group type to Universal

  1. Before starting the process, set a variable for your search base:
    $MySearchBase = "ou=8MAN,dc=8man-demo,dc=local"
  2. Load a variable with the groups you wish to include, filtered by type:
    1. If the existing groups are DomainLocal:
              $MyGroupList = get-adgroup -Filter 'GroupCategory -eq "Security" -and GroupScope -eq "DomainLocal"' -SearchBase "$MySearchBase"
    2. If the existing groups are Global:
              $MyGroupList = get-adgroup -Filter 'GroupCategory -eq "Security" -and GroupScope -eq "Global"' -SearchBase "$MySearchBase"
  3. Validate that the correct groups are included in the variable by listing the names of objects in the variable:
        $ MyGroupList.name
  4. For every group is the list, change the type to Universal:
        $ MyGroupList | Set-ADGroup -GroupScope Universal
  5. Re-load the variable:
        $MyGroupList = get-adgroup -Filter 'GroupCategory -eq "Security" -and GroupScope -eq "Universal"' -SearchBase "$MySearchBase"
  6. Again, validate that the correct groups are included in the variable:
        $ MyGroupList.name

 

Last modified

Tags

Classifications

Internal Use Only