Bulk group type & scope change

How do you bulk change group scope and type in PowerShell? This came up in the newsgroup today so I thought I would blog about the solution as well.

Suppose you want to change the scope of all Global Distribution groups in your domain to Universal. Getting the groups is easy – you just use Get-QADGroup with the appropriate parameters. However, AD cmdlets 1.0.4 still don’t have the Set-QADGroup cmdlet (which is coming soon ;)) so as usual we can cheat here by using Set-QADObject cmdlet and ObjectAttributes parameter which give access to any AD objects and attributes.

Because of this workaround we’ll need to supply the appropriate value for the new type and scope. This table will help you pick the one you need:

Value GroupType
2 Global distribution group
4 Domain local distribution group
8 Universal distribution group
-2147483646 Global security group
-2147483644 Domain local security group
-2147483640 Universal security group

So for example taking all global distribution groups and making them universal is a matter of running this one-liner:

Get-QADGroup -GroupType Distribution -GroupScope Global | Set-QADObject -ObjectAttributes @{grouptype=8}

A couple of notes:

  • By default, Get-QADGroup will only retrieve the first 1000 of groups matching the criteria. If you have more you might want to change the default size limit. Setting it to 0 will remove all limitations: -SizeLimit 0.
  • Not all groups can be converted to all types.

Tags: , , , , , , ,


7 Responses to “Bulk group type & scope change”

  1. 1 David Foreman March 12, 2009 at 3:31 pm

    I ran into a really strange Problem. I’m using get-QADgrp to select groups so that I can use it in a database. Wehn I first use the command I performed an export-csv with the fields I was looking for and pulled it into excel and the results were as expected: Scope came back with either universal – Global – Local and type came back with Security or Distribution.

    Here is where it gets weird – when I did the same command only this time instead of the expectant “names” I’m getting numbers but not the same numbers you have referance. I’m geting 1-3??? as far as I can tell there is no corelation… Any sugestions.

  2. 2 Dmitry Sotnikov March 12, 2009 at 8:51 pm


    This is very weird. Could you post this, the exact code you are using, and the sample results (obviously with your domain names and group names obfuscated) to our AD PowerShell forum at http://www.powergui.org/forum.jspa?forumID=173 ?

    I would really like our team to troubleshoot this with you.


  3. 3 David Foreman March 17, 2009 at 1:38 pm

    Dmitry, Sorry about the delay, I’ve been working on a time deadline and I have 4 scripts all to get a picture of our AD Groups / Shares information.

    Here is the code I’m using it is pretty simple really.

    get-qadgroup -searchroot domain/ou -sizelimit 0 |select-object groupname, dn, description, notes, email, creationdate, groupscope, grouptype, modification date | export-csv -path H:\group-list.csv

    When I open this file in a Excell spreadsheet. I get the expected reults: group type security or distribution,
    Groups scope: domain local, Global, Universal

    Now, when I run the same code but instead write to a access database the result is the numbers as describe above. Here is that code:

    # this builds a set for Group groupname-Object-description-notes out of the groups in the HB OU – df
    # get-qadgroup -searchroot Domain/OU -sizelimit 0 |select-object name, dn, description, notes | export-csv -path H:\group-list.csv
    $objGroup = get-qadgroup -searchroot Domain/OU -sizelimit 0
    #this is the Part that writes directly to an access database.
    # First part create varibles of data Base
    $strDB = “h:\Security-grp-shares1.accdb”
    $strTable = “tblGrpSec”
    $strAccessQuery = “Select * from $strTable”
    # next set of varibles define all the parameters for opening access database
    $adOpenStatic = 3
    $adLockOptimistic = 3
    $objConnection = New-Object -ComObject ADODB.Connection
    $objRecordSet = new-object -ComObject ADODB.Recordset
    $objConnection.Open(“Provider = Microsoft.ACE.OLEDB.12.0; `
    Data Source= $strDB”)
    $objRecordSet.Open($strAccessQuery, `
    $objConnection, $adOpenStatic, $adLockOptimistic)

    write-host -foreGroundColor yellow “Obtaining share info …”

    foreach ($Group in $objGroup)
    $grpName = $Group.GroupName
    $grpDN = $Group.DN
    $grpDesc = $Group.Description
    $grpNotes = $Group.Notes
    $grpType = $Group.GroupType
    $grpScope = $Group.GroupScope
    $grpCreDate = $Group.CreationDate
    $grpModDate = $Group.ModificationDate
    $grpEmail = $Group.Email

    $objRecordSet.Fields.item(“grpName”) = $grpName
    $objRecordSet.Fields.item(“grpDN”) = $grpDN
    $objRecordSet.Fields.item(“grpDesc”) = $grpDesc
    $objRecordSet.Fields.item(“grpNotes”) = $grpNotes
    $objRecordSet.Fields.item(“grpType”) = $grpType
    $objRecordSet.Fields.item(“grpScope”) = $grpScope
    $objRecordSet.Fields.item(“grpCreDate”) = $grpCreDate
    $objRecordSet.Fields.item(“grpModDate”) = $grpModDate
    $objRecordSet.Fields.item(“grpEmail”) = $grpEmail
    write-host -foregroundColor yellow “/\” -noNewLine


  4. 4 Dmitry Sotnikov March 17, 2009 at 2:07 pm

    I am not a database guru but I bet type transformation is going wrong somewhere.

    Try doing:

    $grpType = $Group.GroupType.ToString()

    instead of just $grpType = $Group.GroupType

    This should make type transformation explicit.


  5. 5 RajeshGowda March 6, 2011 at 8:10 am

    -2147483643 – Builtin groups

  6. 6 Kevin December 13, 2013 at 5:19 am

    Dimitry, I realilse this thread is very old but was wondering if you could help me with a seemingly simple powershell script.
    I need to chage the scope of +/- 1000 AD groups from Global to Local.

    I used powershell to dump the groups to CSV – No problem.
    But I’m having trouble reading it out into an array and looping through to change the scope.

    This is what I used to dump out to CSV

    Import-Module ActiveDirectory
    Get-ADGroup -Filter * -SearchBase “ou=File Access,ou=Groups,ou=name,ou=name,dc=domain,dc=domain” | Export-csv FileAccgroups.csv

    Now I thought my code to change the info in the csv would look something like this but I am having no luck.

    $groups = Import-csv .\FileAccgroups.csv
    ForEach ($group in $groups)
    {set-adgroup -Identity “$groups” -Groupscope 2}
    {set-adgroup -Identity “$groups” -Groupscope 0}

    • 7 Dmitry Sotnikov December 17, 2013 at 7:43 pm

      Kevin, I am not a specialist on Microsoft’s AD cmdlets – has only be using the Quest’s ones that I overlooked. A few issues with your script are quite obvious:

      * Why -Identity “$groups”? $groups is the whole set. $group is the individual object. And if that does not work, put something like:

      * why duplicate lines?
      {set-adgroup -Identity “$groups” -Groupscope 2}
      {set-adgroup -Identity “$groups” -Groupscope 0}

      Are you trying to filter that? Then use Where-Object for filtering.

      If you need further help, I think there’s still a fairly active AD and PowerShell forum at http://powergui.org

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

My Recent Tweets


The posts on this blog are provided “as is” with no warranties and confer no rights. The opinions expressed on this site are mine and mine alone, and do not necessarily represent those of my employer - WSO2 or anyone else for that matter. All trademarks acknowledged.

© 2007-2014 Dmitry Sotnikov

September 2007

%d bloggers like this: