Posted July 9th, 2012

We regularly get the question if we can solve the following problem: a customer started out with an AD forest containing only a single domain. And because universal groups used to be rather costly in terms of replication between DCs before windows 2008 (in short, all the members of the group were sent over the line when a member was added or removed), they organized access to their resources (such as their file systems) via global security groups.

But then a second domain was introduced into their forest, for whatever reason (business expansion, business take-over, merging businesses, etc). And access to resources in one domain needed to be granted to users in the other domain.

But, users from one domain cannot be added as members to a global security group in another domain…

We see different costumers tackle this problem in the same ways. First they simply try to convert global groups to domain local groups. This works, but only for groups that aren’t themselves member of another global or universal group.

Next they decide to create a parallel group structure with newly created domain local groups, only to find out that this constitutes an immense amount of work. You will not believe the excel sheets we have seen — pieces of art in their own right. Art of the most depressing kind, that is. Because in order to recreate your group structure, you have to find out which groups have been granted access to which parts of your file systems. Once this new structure is implemented, you can never be sure that you have everything covered. So, apart from the work, a nagging ‘did we have it all’ remains.

The solution to this problem is surprisingly simple and safe. Here are the steps you have to take for each group that you need to convert:SupDuck

1. Create a new Global or Universal Security Group.
2. Make the members of your original group member of this new group.
3. Make the new group member of the groups your original group was member of.
4. Remove the members from your original group.
5. Remove your original group from the groups it was member of.
6. Convert your original group from a global or universal group to a Domain Local Group.
7. Make the new group member of your original group.

Notice that you no longer need to find out which rights have been granted to which resources. The question is irrelevant, because the rights to your resources, such as your file systems, haven’t changed. Futhermore, your nestled group membership structure remains intact.

The only thing that’s changed is that your original group is now a domain local group, to which you can now add users from another domain, allowing you to grant access to resources in one domain to users from another domain.

You can follow the procedure mentioned above. The simplest way to perform this conversion, however, is with AdminPlus...

aducADMIN+A Powerfully Simple Active Directory Management Tool.

Download A FREE Trial

We're a software company based in Amsterdam that focuses on large-scale network management software. aducADMIN+ is our flagship product - but we also manage networks of over 20,000 users.

Vision It has been developing custom software solutions since 2009 and launched aducADMIN+ in 2010 to help us save time and money managing our own networks.

Developing software out of amsterdam, The Netherlands with installations in over 50 countries around the globe.


+31 20 893 2017