Link to home
Start Free TrialLog in
Avatar of lianne143
lianne143Flag for United States of America

asked on

Copying users from Global security group to Universal security group.

Hi

We use Windows 2012 domain controllers on our network.

On our active directory there is a Global security group called “Teacher” and in this group there are 100 members.

I have now created a Universal security group in my active directory called “My ORG Staff”

Now I would like all the members in the Teacher group to be copied to the ““My ORG Staff”

Any help and tutorials will be great

Thanks in advance.
Avatar of oBdA
oBdA

No, you don't want to do that. That's not what Universal Groups are there for. Universal groups are replicated in the Global Catalog, so any change in that group gets replicated all over the place, so that membership should be kept static by only adding groups.
Just add the Global group to the Universal group.
Do you even have a forest with multiple domains?
You might want to read up a bit about AG(U)DLP
AGDLP
https://en.wikipedia.org/wiki/AGDLP
ASKER CERTIFIED SOLUTION
Avatar of Alex
Alex
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of lianne143

ASKER

We have moved to 0365 and  going to use the groups for SharePoint online .We are a single domain.
Well, the code I gave you will give you the samaccountnames, you can literally copy and paste that into your group.

otherwise, copy them into a text file and then the second bit of code will do it.
In a single domain, there's no need for Universal groups. What are you trying to achieve here?
^^ true

I can't think of any reason why o365 would require Universal over Global groups either.

Regards
Alex
We were single domain. Recently we have joined a Trust and now our 0365 is setup with single tenant with multi-domain syncing into 0365.

The domain controllers of each of the organisation syns to the AAD Connect server through a VPN connection

So now we have multiple domain syncing through single Azure AD tenant and we one Global address book for the whole trust .

So in this situation , do we need  Universal security groups.
Thanks
OK well I gave you the code for it anyway.

get-adgroupmembers -identity "Teacher" | select-object Samaccountname

and then paste it into your new group, or use the powershell I gave you before.

Regards
Alex
I still don't see a need for a Universal group with individual user accounts.
The main purpose of Universal groups is to delegate permissions across domains, while avoiding the (expensive) membership lookup in another domain.
Group scope
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc755692(v=ws.10)

When to use groups with universal scope
Use groups with universal scope to consolidate groups that span domains. To do this,add the accounts to groups with global scope, and then nest these groups within groups that have universal scope. When you use this strategy, any membership changes in the groups that have global scope do not affect the groups with universal scope.

For an example on how that works, see Ace Fekay's answer here:
can we add universal group into global group
https://social.technet.microsoft.com/Forums/windowsserver/de-DE/fa66b5c5-3ed3-4700-b479-e036577e110b/can-we-add-universal-group-into-global-group?forum=winserverDS