Thursday, October 15, 2009

How to Convert Local and Global Groups to Universal Groups

As you may know, Exchange Server 2007 and Exchange Server 2010 force you to create all new distribution groups as universal distribution groups.

The reason for this is that Exchange 2007/2010 requires a local Global Catalog (GC) server in the Active Directory site where Exchange resides to query for group expansion. A GC can expand domain local, global, and universal groups. However, domain local groups (and sometimes global groups) can only be expanded within the domain local scope. If the GC is a member of the domain, it will be unable to expand a domain local group in the subdomain.

Universal groups can be used anywhere in the same Windows forest. A GC is able expand universal groups in any domain or subdomain in that forest, as long as the domain functional level (DFL) and forest functional level (FFL) are at least Windows Server 2003 Interim Level.

Obviously, the issue with group expansion only occurs in multi-domain "enterprise" environments, but Exchange 2007/2010 doesn't care. Distribution groups and mail-enabled security groups must still be universal groups, even in a single domain environment.
If you're moving from Exchange 2000/2003 to Exchange 2007 or Exchange 2010, you're going to want to convert all your domain local and global distribution and mail-enabled security groups to universal groups so they can be managed using the Exchange management tools.

You can change group types and group scope using Active Directory Users and Computers (ADUC), but you can only do one group at a time. When I first started writing this article I was convinced that Powershell was the best way to do this. But due to limitations in the way that Powershell accesses Active Directory, my scripts were getting quite large and complicated, even when using third party Powershell extensions like Quest's free ActiveRoles Management Shell for Active Directory. I started to look for other ways to perform bulk changes of distribution and security groups.

The most efficient way I found is to use the internal Windows dsquery and dsmod tools. These handy and oft-forgotten tools are installed with the operating system in Windows 2000 and later.

The following command will produce a list of all the groups in the domain and their scope (domain local, global, or universal) and whether the group is a security group. The output is redirected to the Groups.txt file:

This command can take a while to run if the domain contains a large number of groups. It took about a minute to process over 6,100 groups.
dsquery group -limit 0 | dsget group -samid -scope -secgrp > Groups.txt
The command to convert all domain local and global groups (both distribution and security groups) is:
dsquery group -limit 0 | dsmod group -c -q -scope u
The first part of this command uses dsquery to query AD for all groups and then pipes the collection to dsmod to convert each group to a universal group. The -c switch tells dsmod to output any errors and continue. The -q switch tells dsmod to run in quiet mode (suppress successful changes).

Note: Some groups cannot be converted to Universal groups. All of the Windows built-on groups are global and cannot be converted to a different group scope.

Also know that a global group cannot have a universal group as a member. When you see this error, it means that the group is a member of another group that cannot be converted to a universal group (for example, the built-in Account Operators group. Sometimes, this can be like chasing a rat down a hole. The groups may be so deeply nested that it's hard to find the group that is preventing the conversion.

Sometimes it helps to run the conversion command again. For example, dsmod may be unable to convert Group-A to a universal group because it contains the domain local group, Group-B. Later in the process, Group-B is converted from a local group to a universal group. If you run the conversion again, Group-A can now be converted.

Note: Exchange 2007 and Exchange 2010 will automatically convert universal distribution groups to universal security groups if the distribution group is used to apply security settings for a MAPI or Public Folder. My next article will cover this in more detail. 4:16 PM