Change Group Scope
Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012
Membership in Account Operators , Domain Admins , or Enterprise Admins , or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at https://go.microsoft.com/fwlink/?LinkId=83477.
Changing group scope
Using the Windows interface
Using a command line
To change group scope using the Windows interface
To open Active Directory Users and Computers, click Start , click Control Panel , double-click Administrative Tools , and then double-click Active Directory Users and Computers .
To open Active Directory Users and Computers in Windows ServerĀ® 2012, click Start , type dsa.msc .
In the console tree, click the folder that contains the group for which you want to change the group scope.
Where?
- Active Directory Users and Computers\ domain node \ folder that contains the group
In the details pane, right-click the group, and then click Properties .
On the General tab, under Group scope , select the group scope.
Additional considerations
To perform this procedure, you must be a member of the Account Operators group, Domain Admins group, or Enterprise Admins group in Active Directory Domain Services (AD DS), or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure.
Another way to open Active Directory Users and Computers is to click Start , click Run , and then type dsa.msc .
You can change group scopes only when the domain functional level is set to Windows 2000 native or higher.
Changing the scope of a group from universal to domain local can only be done on a global catalog server. An error message appears if the domain controller is not a global catalog server.
You can also perform the task in this procedure by using the Active Directory module for Windows PowerShell. To open the Active Directory module, click Start , click Administrative Tools , and then click Active Directory Module for Windows PowerShell . For more information, see Change Group Scope (https://go.microsoft.com/fwlink/?LinkId=180675).
To open the Active Directory module in Windows Server 2012, open Server Manager , click Tools and then click Active Directory Module for Windows PowerShell .
For more information about Windows PowerShell, see Windows PowerShell (https://go.microsoft.com/fwlink/?LinkID=102372).
Additional references
To change group scope using a command line
To open a command prompt, click Start , click Run , type cmd , and then click OK .
To open a command prompt in Windows Server 2012, click Start , type cmd , and then click OK .
Type the following command, and then press ENTER:
dsmod group <GroupDN> -scope {L|G|U}
| Parameter | Description |
|---|---|
<GroupDN> |
Specifies the distinguished names of the group object to which the scope will be changed. |
{L|G|U} |
Specifies that the scope of the group is set to local ( L ), global ( G ) or universal ( U ). If the domain functional level is still at Windows 2000 mixed, the universal scope is not supported. Also, it is not possible to convert a domain local group to a global group or a global group to a domain local group. |
To view the complete syntax for this command, and for information about entering user account information, at a command prompt, type the following command, and then press ENTER:
dsmod group /?
Additional considerations
To perform this procedure, you must be a member of the Account Operators group, Domain Admins group, or Enterprise Admins group in AD DS, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure.
You can change group scopes only when the domain functional level is set to Windows 2000 native or higher.
Changing the scope of a group from universal to domain local can only be done on a global catalog server. An error message appears if the domain controller is not a global catalog server.
You can also perform the task in this procedure by using the Active Directory module for Windows PowerShell. To open the Active Directory module, click Start , click Administrative Tools , and then click Active Directory Module for Windows PowerShell .
To open the Active Directory module in Windows Server 2012, open Server Manager , click Tools and then click Active Directory Module for Windows PowerShell .
For more information, see Change Group Scope (https://go.microsoft.com/fwlink/?LinkId=138380). For more information about Windows PowerShell, see Windows PowerShell (https://go.microsoft.com/fwlink/?LinkID=102372).