How Can I Convert a Global Security Group to a Universal Security Group?


Hey, Scripting Guy! Question

Hey, Scripting Guy! How can I convert a global security group to a universal security group?

— BB

SpacerHey, Scripting Guy! AnswerScript Center

Hey, BB. We have to tell you the truth, we were pretty excited when we first read your email. Convert a global security group to a universal security group? That sounded like a mad scientist sort of thing, and we had visions of setting up a huge lab with all sorts of cool machines and beakers of chemicals, and then one of us would throw a switch and a great bolt of lighting would surge through the room. Everything would be quiet, and then, through the smoke, we’d see our little security group beginning to twitch. “Heaven help us,” we’d say. “We’ve created a universal security group!”

Cool, huh? In fact, we had already written the screenplay and signed a contract for a series of action figures before we found out that we didn’t actually need a mad scientist’s laboratory to convert a global group to a universal group. Instead, all we needed was this:


Set objGroup = GetObject _ (“LDAP://cn=Managers,ou=Finance,dc=fabrikam,dc=com”)


Hey, if you think you’re disappointed imagine how we feel. As it turns out, though, each Active Directory group has a property named groupType that, well, determines the group type. GroupType is a bitmask attribute that can be made up of as many as two different values. Value 1 determines whether the group is a security group or a distribution group. (What’s the difference? Security groups can be given access to resources; distribution groups can’t.) Value 2, meanwhile, determines the type of security group or the type of distribution group. Either security groups or distribution groups can be one of the following:

Global groups, in which all the users must come from the same domain.

Domain local groups, in which members can be drawn from any domain in the forest, but permissions can only be granted to the local domain (that is, the domain where the group account resides).

Universal groups, in which members can be drawn from any domain in the forest and be granted permissions anywhere in the forest.

Fascinating, isn’t it?

By the way, that’s a good question: how can a single attribute consist of more than one value? That’s bitmask attributes for you. We won’t discuss bitmasks in any detail today; if you’d like a more thorough discussion, check out this Scripting Guys webcast. For now, think of the groupType attribute as being like a series of switches. Suppose the switch for security group is on, the switch for global group is on, and all the other switches are off? In that case, we’d have a global security group. That implies that we can convert a group to a universal security group simply by ensuring that only the security group and the universal group switches are on. And that’s exactly what our script does.

Note. This is probably a good time to point out that Active Directory imposes a few limitations when it comes to converting from one group to another. For example, you can’t convert a global group to a domain local group; Active Directory won’t allow that. Likewise, you can only convert groups if your domain is in native mode. Groups in a mixed-mode domain can’t be converted. Check the Active Directory documentation for more information.

These “switches” are actually a series of constants and their corresponding values. In fact, they’re actually this series of constants and their corresponding values:

Group Type



Global group



Domain local group



Universal group



Security group



To explain how you can set these switches, let’s go back to our script. We start out by defining a pair of constants: ADS_GROUP_TYPE_UNIVERSAL_GROUP and ADS_GROUP_TYPE_SECURITY_ENABLED. Why these two constants? That’s easy: we want to create a universal security group, which means we need to flip the switches for universal group and for security group. If we wanted to create a universal distribution group then we’d only need to flip one switch and define one constant: ADS_GROUP_TYPE_UNIVERSAL_GROUP. (Because, of course, the security group switch needs to be off in order for us to have a distribution group.)

After binding to the group account in Active Directory (for this sample script that’s the Managers group in the Finance OU) we encounter this line of code:


This is where we set the value of the groupType attribute. To do that, we pass our two constants as parameters, joining the two with the OR operator. Don’t worry too much about OR; in this case we can read it as though it was the word and: “Set the group type to a universal group and a security group.” If we wanted to convert the group to a global security group we would simply need to define the constant ADS_GROUP_TYPE_GLOBAL_GROUP and then use this code:


Only the switch values we pass to groupType will be flipped on; any other switches will be turned off. And, yes, if you pass a nonsensical request – for example, passing all the possible constants – the script will simply fail. Active Directory won’t allow you to create, say a domain local universal security distribution group.

And for good reason.

Make sense? To make it a universal distribution group we’d pass just one parameter, ADS_GROUP_TYPE_UNIVERSAL_GROUP:


Again, that’s because we don’t enable the security group switch (ADS_GROUP_TYPE_SECURITY_ENABLED) for distribution groups.

At any rate, after setting the groupType all we have to do is call the SetInfo method and the group will change from a global security group to a universal security group, just like that.

And, no, sorry: the change is made without any bolts of lightning, bursting beakers of chemicals, or other special effects. Hmmm, maybe that’s why they turned down our proposal to use a scripting theme for the latest Mission:Impossible movie.

Oh, well. Wonder if we’re too late to propose a plot for X-Men 3 ….


Discussion is closed.

Feedback usabilla icon