Platform SDK: Active Directory, ADSI, and Directory Services |
Changing a group's scope or type is not allowed in mixed-mode domains. However, the following conversions are allowed in native-mode domains:
Global group to universal group. However, this is only allowed if the global group is not a member of another global group.
Domain local group to universal group. However, the domain local group being converted cannot contain another domain local group.
Universal group to global or domain local group. For conversion to global group, the universal group being converted cannot contain users or global groups from another domain. For conversion to domain local group, the universal group being converted cannot be a member of any universal group or a domain local group from another domain.
In native mode, a group's type can be converted freely between security groups and distribution groups.
Note that if a group is used to set access control, changing the scope or type can affect the access control entries (ACEs) that contain that group. The security system will ignore ACEs that contain groups that are not security groups.