Last Updated on August 16, 2015 by Dishan M. Francis

In one of my previous blog posts I explained about the different security groups we can have in domain environment. Each and every group have the scope and type. But in some situations you may need to change these scope and type.

To change the type of the group (security or distribution) all you need to do is open the group and select the new type you need then click ok.

gchange

But if you need to change the scope, it will only allow you to do the possible convert only. The following table describes the possible changes.

 

To Domain Local

To Global

To Universal

From Domain Local

N/A

Prohibited

Permitted only if it doesn’t have other domain local nested groups

From Global

Prohibited

N/A

Permitted only if it’s not member of another group

From Universal

Permitted

Permitted only if it’s doesn’t have other universal groups as members

N/A

Deleting Groups

Each group in AD DS is assigned with unique SID (Security Identifier). This SID is used by AD to identify the permissions associated with the group.

When we delete a group from the AD DS it only removes the SID and the permissions associated with the group. It doesn’t remove any member object of the group. Also this SID will not be able to reuse. If you create a group with same name as you deleted it will get a new SID and you need to assign the permissions again as you do for new object.

If you have any question about the post feel free to contact me on rebeladm@live.com