In one of my previous blog posts I explained about the different security groups we can have in domain environment. Each and every group have the scope and type. But in some situations you may need to change these scope and type.
To change the type of the group (security or distribution) all you need to do is open the group and select the new type you need then click ok.
But if you need to change the scope, it will only allow you to do the possible convert only. The following table describes the possible changes.
|
To Domain Local |
To Global |
To Universal |
From Domain Local |
N/A |
Prohibited |
Permitted only if it doesn’t have other domain local nested groups |
From Global |
Prohibited |
N/A |
Permitted only if it’s not member of another group |
From Universal |
Permitted |
Permitted only if it’s doesn’t have other universal groups as members |
N/A |
Deleting Groups
Each group in AD DS is assigned with unique SID (Security Identifier). This SID is used by AD to identify the permissions associated with the group.
When we delete a group from the AD DS it only removes the SID and the permissions associated with the group. It doesn’t remove any member object of the group. Also this SID will not be able to reuse. If you create a group with same name as you deleted it will get a new SID and you need to assign the permissions again as you do for new object.
If you have any question about the post feel free to contact me on rebeladm@live.com