Global Groups & Exchange What a challenge to convert

 

Everything starts with the kiosks of managing exchange recipients from active directory on exchange 2000/2003

When you mail enable a group, The Active Directory console never bother if this group is in a universal or a global scope.

For multi domains implementations where exchange installed in a child domain and users reside in other child domains, the only way to address groups expansion and group membership is to work with universal groups as they are replicated in the global catalog.

With the new generation of exchange, 2007, we started to stop using active directory management and stress on managing exchange from the exchange management tools so that new mail enabled groups are created automatically with universal scope

Universal groups are always be the ultimate solution but that was never forced in exchange 2003, later version of exchange forces the group scope through the creation but doesn’t change the scope for the existing groups.

image

This is exactly what we are after on this article, is to find how we can convert all mail enabled groups from global to universal.

I was optimistic when I started to do the job that I will finish it  with a one line command or just a small code

 

PowerShell

 $ListOfGroups=Get-DistributionGroup -Filter {grouptype -eq "Global"} 
Foreach($Group in $ListOfGroups) 
{ 
    Set-adgroup -identity $Group.displayname -GroupScope "Universal" 
}

As you can imagine, this has thrown many exceptions.

Set-ADGroup : A global group cannot have a universal group as a member At line:1 char:89 Set-ADGroup <<<< -GroupScope universal + CategoryInfo : NotSpecified: (CN=Parent02,OU=...=myeagle,DC=dev :ADGroup) [Set-ADGroup], ADException + FullyQualifiedErrorId : A global group cannot have a universal group as a member,Microsoft.ActiveDirectory.Management.Commands.SetADGroup

Active directory has a nice cool feature to nest multiple groups so that the group “HR Egypt” can be a member of the “HR Corp”

If both groups are global and you tried to change the group scope of “HR Egypt” you will have an error that this group can’t be a member of another global group because universal groups can’t be member of any global groups.

That means you need to change the “HR Corp” first to universal and after that you change the “HR Egypt” group.

That’s the first question we need to answer when we develop our script.

What’s next?

Theoretically speaking if you change the “HR Corp” then you can change the “HR Egypt” group but in a real life example that simple relation almost doesn’t exist.

‘HR Corp’ might also be a member of another global group so you need to trace down and change from the point where you have a group that’s not a member of any other global group.

Is that enough?

No, cause in real life if you check the members of any group you will find many groups with global scope.

Most of the times after many years of operating active directory you might also end up with a mesh topology of group relations and when you start to run the command to change the  group to global you need to start with the most basic group where the group is not member of any universal and it doesn’t have any other global groups.

I dig more and more to find a solution for this but I find a funny workaround, if you run the above code multiple times, you will eventually manage to change all the groups, off course your  will have many exceptions and you don’t know how many times you need to run the code but at least you have a solution.

I decided to build another code jut to repeat the above, simple code that handles the exception and keep running till all mail enabled groups are converted to universal.

PowerShell

#Import AD module

Import-Module ActiveDirectory

#Create a Main Code function

Function MainCode() { [CmdletBinding(SupportsShouldProcess=$true)] Param()

    #Retrieve the list of mail enabled groups in global scope      $Groups = @(Get-DistributionGroup -Filter {(GroupType -eq "Global")} -ResultSize unlimited)     if($groups)     {         ForEach ($Group in $Groups)         {

        #Check for member & memberof             Write-verbose "Stage 1: Working on $($Group.Name)"            $MemberOfGroups=Get-ADPrincipalGroupMembership $($Group.name) | Where-Object {$_.GroupScope -eq "Global"}             $MembersGroups=Get-ADGroupMember $($Group.Name) | Where-Object {$_.objectClass -eq "group"} | get-Adgroup | Where-Object {$_.GroupScope -eq "Global"}             If($MemberOfGroups -And $MembersGroups)             {                 write-verbose "Stage 2.1: memberof And members are detected $($Group)"             }             elseif($MemberOfGroups)             {                write-verbose "Stage 2.2: memberof are detected $($Group)"             }             else             {                 write-verbose "Stage 2.3: no memberof or members are detected $($Group)"                 Get-ADGroup $($Group) | Set-ADGroup -GroupScope Universal -PassThru             }         }     }     else     {        write-verbose "Stage 3: no more loops"         break     }     return $Groups.Count }

#Loop statement till there are no more groups in global scope Do{MainCode -Verbose}While($Groups.Count)

Enjoy Smile

Disclaimer The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.

Comments

  • Anonymous
    October 07, 2014
    Brilliant script, nice jobRamy Messiha