Changing security group scope

Home Forums Microsoft Networking and Management Services Active Directory Changing security group scope

Viewing 1 post (of 1 total)
  • Author
    Posts

  • m80arm
    Member
    #147513

    Hi All,

    I’ll set the scene. We currently have a Windows 2003 domain (forest and domain level is Windows 2003). Were looking to migrate to a Windows 2008 R2 domain (forest and domain functional level is 2008). Were have a forest to forest trust in place and working.

    What I want to do it create all IT staff admin accounts in the new domain and disable their admin accounts in the old domain. We have 3 security groups set-up in the old domin:

    oldDomain1stline – Global Security Group
    oldDomain2ndline – Global Security Group
    oldDomain3rdtline – Global Security Group

    I’ve set-up 6 groups in the new domins:

    newDomainSG – D – 1stline – Domain Local Security group
    newDomainSG – D – 2ndline – Domain Local Security group
    newDomainSG – D – 3rdline – Domain Local Security group
    newDomainSG – G – 1stline – Global Security group
    newDomainSG – G – 2ndline – Global Security group
    newDomainSG – G – 3rdline – GlobalSecurity group

    users are members of the global groups which are then members of the local groups. You get the picture.

    Now, I can’t add the newDomain Global security groups into the oldDomain Global security groups as this is now allowed. So I was thinking of changing the oldDomain global groups to universal groups, and then changing them to domain locla groups. This will then allow me to add the global groups from the new domain into the domain local groups in the old domain.

    I’ve tested this by creating an oldDomain1stline test global group and adding all the member of the oldDomain1stline security group and changing it to univesal then local. This all worked fine.

    I was just wondering if there are any side effects of changing the group scope? We have service accounts that sit in this group that I don’t want to cause issues with?

    Anyone have any other ways of getting to the end goal? The domain admins group is a global group so I can’t add them straight into there. The administrators group is a domain local group but this does not have any rights over the end PC’s so would be of no use.

    Thanks in advance.

    Michael

Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.