Working on site with a customer I was asked if there was a way to upgrade their ‘Distribution Lists’ to be ‘Universal’?
This would be a simple task with a bit of PowerShell I thought…
After a couple of checks with the AD Management PowerShell cmdlets, I decided to use the Quest ActiveRoles Management Shell for Active Directory, I will explain why I used the Quest pack over the standard AD Management cmdlets.
First Stage: Add the Quest PowerShell to your PowerShell command window or script editor (I use the the PowerShell ISE, it makes things a lot easier).
## Add Quest Activeroles AD management
Add-PSSnapin quest.activeroles.admanagement
Second Stage: Create a collection of groups that isn’t a member of any other group (This is the first reason for using Quest), and then upgrade these to ‘Universal’
## Get all groups that are not a member of another group
$DL = Get-QADGroup -SizeLimit 0 | where {($_.PrimarySMTPAddress -ne $Null) -and ($_.MemberOf.count -eq 0)}ForEach ($member in $DL)
{
Set-QADGroup $Member -GroupScope Universal -ErrorAction Continue
}
Note: You will see that I have a filter ‘$_.PrimarySMTPAddress -ne $Null’ this was put into the script to get Distribution Lists only, as the Quest Get-QADGroup will get both Distribution and Security groups. This can be simply removed and replaced with ‘where {$_.MemberOf.count -eq 0}’ if you want to upgrade all groups.
I had to do this with my customer because even thou they had separated their Distribution and Security groups, they had a over time created the odd Security group nested into a Distribution group.
Third Stage: Get the ‘Members Of’ the collection from second stage, and put them in an array.
## Get the members of the groups in $DL
$Nest = @()
ForEach ($member in $DL)
{
$membersof = Get-QADGroupMember -SizeLimit 0 $member -Indirect | where {$_.GroupScope -eq "Global"}
foreach ($membersofmembersof in $membersof)
{
if ($Nest -notcontains $Membersofmembersof)
{
$Nest += $Membersofmembersof
}
}
}
Note: This is the other reason I used the Quest cmdlets, as you will see on the cmdlet Get-QADGroupMember I've used the switch –Indirect, this means it will get the members of all the nested groups including the groups that nested to those groups, this has been tested to 9 levels of nesting.
Fourth Stage: Using the array from third stage upgrade the groups to ‘Universal’
## Upgrade groups in $nest
ForEach ($member in $Nest)
{
Set-QADGroup $Member -GroupScope Universal -ErrorAction Continue
}
Note: this will loop round the array upgrading the groups to ‘Universal’, if gets a group that it can’t upgrade because its a member of a 'Global’ group you will see a message appear:
Set-QADGroup : The server is unwilling to process the request
You will simply need to repeat stage four, until all groups have been upgraded.
This is a working script and maybe updated over time, I’ll let you know of any updates done to the script.
Download Full Script
Quest ActiveRoles Management for Active Directory – Link
Disclaimer: All scripts and other PowerShell references on this blog are offered "as is" with no warranty. While these scripts are tested and working in my environment, it is recommended that you test these scripts in a test environment before using in your production environment.