Change group scope

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To change group scope

  • Using the Windows interface

  • Using a command line

Using the Windows interface

  1. Open Active Directory Users and Computers.

  2. In the console tree, click the folder that contains the group for which you want to change the group scope.

    Where?

    • Active Directory Users and Computers/domain node/folder that contains the group
  3. In the details pane, right-click the group, and then click Properties.

  4. On the General tab, under Group scope, click the group scope.

Notes

  • To perform this procedure, you must be a member of the Account Operators group, Domain Admins group, or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, see Default local groups, Default groups, and Using Run as.

  • To open Active Directory Users and Computers, click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.

  • You can only change group scopes when the domain functional level is set to Windows 2000 native or higher.

  • Changing the scope of a group from universal to domain local can only be done on a global catalog server. An error is returned if the domain controller is not a global catalog server.

Using a command line

  1. Open Command Prompt.

  2. Type:

    dsmod groupGroupDN-scopeL|G|U

Value Description

GroupDN

Specifies the distinguished names (DNs) of the group object to which the scope will be changed.

L|G|U

Specifies that the scope of the group be set to local, global or universal. If the domain is still in Windows 2000 mixed, then the universal scope will not be supported. Also, it is not possible to convert a domain local group to global group or vice versa.

Notes

  • To perform this procedure, you must be a member of the Account Operators group, Domain Admins group, or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, see Default local groups, Default groups, and Using Run as.

  • To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt.

  • You can only change group scopes when domain functional level is set to Windows 2000 native or higher.

  • Changing the scope of a group from universal to domain local can only be done on a global catalog server. An error is returned if the domain controller is not a global catalog server.

  • To view the complete syntax for this command, at a command prompt, type:

    dsmod group /?

Information about functional differences

  • Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.

See Also

Concepts

Group scope
Groups
Directory service command-line tools
Command-line reference A-Z
Domain and forest functionality
Working with MMC console files