[m80arm]

Hi All,

I'll set the scene. We currently have a Windows 2003 domain (forest and domain level is Windows 2003). Were looking to migrate to a Windows 2008 R2 domain (forest and domain functional level is 200. Were have a forest to forest trust in place and working.

What I want to do it create all IT staff admin accounts in the new domain and disable their admin accounts in the old domain. We have 3 security groups set-up in the old domin:

oldDomain\1stline - Global Security Group
oldDomain\2ndline - Global Security Group
oldDomain\3rdtline - Global Security Group

I've set-up 6 groups in the new domins:

newDomain\SG - D - 1stline - Domain Local Security group
newDomain\SG - D - 2ndline - Domain Local Security group
newDomain\SG - D - 3rdline - Domain Local Security group
newDomain\SG - G - 1stline - Global Security group
newDomain\SG - G - 2ndline - Global Security group
newDomain\SG - G - 3rdline - GlobalSecurity group

users are members of the global groups which are then members of the local groups. You get the picture.

Now, I can't add the newDomain Global security groups into the oldDomain Global security groups as this is now allowed. So I was thinking of changing the oldDomain global groups to universal groups, and then changing them to domain locla groups. This will then allow me to add the global groups from the new domain into the domain local groups in the old domain.

I've tested this by creating an oldDomain\1stline test global group and adding all the member of the oldDomain\1stline security group and changing it to univesal then local. This all worked fine.

I was just wondering if there are any side effects of changing the group scope? We have service accounts that sit in this group that I don't want to cause issues with?

Anyone have any other ways of getting to the end goal? The domain admins group is a global group so I can't add them straight into there. The administrators group is a domain local group but this does not have any rights over the end PC's so would be of no use.

Thanks in advance.

Michael

[Dumber]

I don't see any issues so at first glance... Where do you see potentional issues?

[m80arm]

The changing of the actual groups from Global to local. Not too sure if they have any side effects.

I think it will be OK to be honest but it's always nice for the re-assurance. I've tested this and it seems to work fine so I think I'll just go ahead.

I couldn't find any cases of this causing any problems

Michael

[v-2nas]

Hi,

What you can do is create a copy of the group and then move all except service account to new group and make changes there.

[m80arm]

Navdeep,

Doing this would mean I would have to add the new group to exactly the same resources as the old group.

I've been testing the chaing of scope and so far I have not encountered any problems so I think I will just change the scope.

Thanks for replying

Michael

[joeqwerty]

Changing a group's scope changes what users and groups can be members of the group, what groups the group can be a member of, and what resources can have permissions applied to the group. Here's a quick breakdown from MS:

A domain local group is a security or distribution group that can contain universal groups, global groups, other domain local groups from its own domain, and accounts from any domain in the forest. You can give domain local security groups rights and permissions on resources that reside only in the same domain where the domain local group is located.

A global group is a group that can be used in its own domain, in member servers and in workstations of the domain, and in trusting domains. In all those locations, you can give a global group rights and permissions and the global group can become a member of local groups. However, a global group can contain user accounts that are only from its own domain.

A universal group is a security or distribution group that contains users, groups, and computers from any domain in its forest as members. You can give universal security groups rights and permissions on resources in any domain in the forest.

[m80arm]

Joeqwerty,

Yes - The main reason I was asking the question was if there are any issues changing the scope after you have permissioned everything. long story short, all our groups on the old domian are global and need to be change to local to allow me to add global group in from the new domian. so users still have permissions over resources in the old domian once thier accounts have been migrated.

Michael