Collections
Deploying Active Directory
Administration
Change Groups Scope

Change Groups Scope

At times you may run into a case where you need to change an existing security group’s scope, say from Domain Local to Global. This article walks you through the process.

Within a domain, three Security Group Types exist:

  1. Domain Local
  2. Global
  3. Universal

To switch between them use the following command:

Get-ADGroup GroupName | Set-ADGroup -GroupScope DomainLocal

If needing to change the scope from Global to Domain Local, you’ll need to add an extra step:

Get-ADGroup GroupName | Set-ADGroup -GroupScope Universal
Get-ADGroup GroupName | Set-ADGroup -GroupScope DomainLocal

Using the Universal scope as an intermediary is required as Active Directory will not allow you to directly change the scope from Global to Domain Local.

Clean Abandoned GPOs