changing group scope

Discussion in 'MCSE' started by kcsteele, Apr 7, 2006.

  1. kcsteele

    kcsteele Guest

    not sure if this is the right group, but I'll give it a try.

    from
    http://technet2.microsoft.com/WindowsServer/en/Library/79d93e46-ecab-...



    Changing group scope
    When creating a new group, by default, the new group is configured as a

    security group with global scope regardless of the current domain
    functional level. Although changing a group scope is not allowed in
    domains with a domain functional level set to Windows 2000 mixed, the
    following conversions are allowed in domains with the domain functional

    level set to Windows 2000 native or Windows Server 2003:


    · Global to universal. This is only allowed if the group you want to
    change is not a member of another global scope group.


    · Domain local to universal. This is only allowed if the group you
    want to change does not have another domain local group as a member.


    · Universal to global. This is only allowed if the group you want to
    change does not have another universal group as a member.


    · Universal to domain local. No restrictions for this operation.


    My question is about the last "Universal to domain local" which it says

    there are no restrictions. What happens if the universal group you want

    to convert to domain local is a member of another universal group? This

    would cause the containing universal group to have a domain-local group

    as a member. If there are no restrictions, wouldn't this cause issues
    because a universal group cannot contain domain local groups?
     
    kcsteele, Apr 7, 2006
    #1
    1. Advertising

  2. kcsteele

    LRM Guest

    All gawked in amazement when: kcsteele assaulted us with:
    > not sure if this is the right group, but I'll give it a try.
    >
    > from
    > http://technet2.microsoft.com/WindowsServer/en/Library/79d93e46-ecab-...
    >
    >
    >
    > Changing group scope
    > When creating a new group, by default, the new group is configured as
    > a
    >
    > security group with global scope regardless of the current domain
    > functional level. Although changing a group scope is not allowed in
    > domains with a domain functional level set to Windows 2000 mixed, the
    > following conversions are allowed in domains with the domain
    > functional
    >
    > level set to Windows 2000 native or Windows Server 2003:
    >
    >
    > · Global to universal. This is only allowed if the group you want to
    > change is not a member of another global scope group.
    >
    >
    > · Domain local to universal. This is only allowed if the group you
    > want to change does not have another domain local group as a member.
    >
    >
    > · Universal to global. This is only allowed if the group you want to
    > change does not have another universal group as a member.
    >
    >
    > · Universal to domain local. No restrictions for this operation.
    >
    >
    > My question is about the last "Universal to domain local" which it
    > says
    >
    > there are no restrictions. What happens if the universal group you
    > want
    >
    > to convert to domain local is a member of another universal group?
    > This
    >
    > would cause the containing universal group to have a domain-local
    > group
    >
    > as a member. If there are no restrictions, wouldn't this cause issues
    > because a universal group cannot contain domain local groups?


    What happened when you tried it in your test environment?

    --
    LRM
    MCNGP 7^2
    www.mcngp.com home of the bogosity singularity.
     
    LRM, Apr 8, 2006
    #2
    1. Advertising

  3. kcsteele

    kcsteele Guest

    Well I got around to testing it and sure enough it doesn't work - AD
    complains "a local group can only be a member of other local groups in
    the same domain".

    Not sure why every place I've looked says that there are "no
    restrictions" for converting universal to domain-local groups... any
    ideas?
     
    kcsteele, Apr 11, 2006
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Global Scope

    , Jun 11, 2005, in forum: MCSE
    Replies:
    4
    Views:
    909
  2. Replies:
    4
    Views:
    55,450
    gsingle
    Jul 14, 2006
  3. Lars Bonnesen
    Replies:
    8
    Views:
    1,929
    Lars Bonnesen
    Jun 15, 2006
  4. Nice4

    OUTPOST Pro v2.0 scope - XP bridging network

    Nice4, Oct 7, 2003, in forum: Computer Security
    Replies:
    0
    Views:
    498
    Nice4
    Oct 7, 2003
  5. funnysun
    Replies:
    2
    Views:
    1,037
    =?Utf-8?B?T1RITUFO?=
    Sep 25, 2007
Loading...

Share This Page