Share via

change group scope

Rising Flight 4,596 Reputation points
2024-08-17T21:12:51.5533333+00:00

Hi All,

I have only one domain. I have created a mail-enabled security group in Exchange Server 2016. In Active Directory, I see the Group Scope set to "Universal" and the Group Type set to "Security" for this mail-enabled security group.

Can I change the Group Scope from "Universal" to "Global" in Active Directory? Will there be any impact? Can this change be made using PowerShell?

I want to make this mail-enabled security group a member of an AD group, but I am unable to do so because the AD group's settings have the Group Scope set to "Global" and the Group Type set to "Security."

Microsoft Exchange Online
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,652 questions
Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,578 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,669 questions
Microsoft Exchange Hybrid Management
Microsoft Exchange Hybrid Management
Microsoft Exchange: Microsoft messaging and collaboration software.Hybrid Management: Organizing, handling, directing or controlling hybrid deployments.
2,136 questions
0 comments
Accepted answer
  1. Marcin Policht 25,925 Reputation points MVP
    2024-08-17T22:46:21.96+00:00

    In a single domain forest, you can change the Group Scope from "Universal" to "Global" for a mail-enabled security group in Active Directory without significant impact.

    Impact of Changing Group Scope:

    Mail-Enabled Groups: In a single domain forest, changing the scope from "Universal" to "Global" is generally safe. Global groups are optimized for single-domain environments, so this change should not disrupt the functionality of the group in Active Directory or Exchange Server. The group will still function correctly for email distribution and security purposes within the domain.

    Group Membership and Usage: Since you only have one domain, the restriction that Global groups can only contain members from the same domain is not an issue. The change should not affect group memberships or permissions because all users, computers, and groups reside within the same domain.

    Changing Group Scope Using PowerShell:

    You can change the Group Scope using PowerShell with the following steps:

    1. Import the Active Directory module (if not already done):
    Import-Module ActiveDirectory
    1. Change the Group Scope:
    Set-ADGroup -Identity "YourGroupName" -GroupScope Global

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ian Xue 37,706 Reputation points Microsoft Vendor
    2024-08-19T01:20:35.57+00:00

    Hi,

    Universal Groups can contain members from any domain within the forest and can be used to assign permissions to resources in any domain within the forest. Global Groups can only contain members from the same domain and can be used to assign permissions to resources in any domain within the forest.

    If your Universal group is used to secure resources in more than one domain, changing it to a Global group will limit its scope to only the domain in which it resides. However, since you have only one domain there be no impact. You can simply modify it using the Set-ADGroup cmdlet.

    https://learn.microsoft.com/en-us/powershell/module/activedirectory/set-adgroup?view=windowsserver2022-ps#-groupscope

    Best Regards,

    Ian Xue

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.