How to Change AD:UserGroup Scope and Type

The AD plug-in for vCenter Orchestrator (vCO) allows for the creation of AD:UserGroup objects as well as the management of its members. A missing option though is to define the type of Group to create. Read on to learn how I came up with a workflow that allows you to change the group to any group type and scope you like.

Research

The first thing I did is use the workflow from the How to get Active Directory User Attributes article to create a simlar workflow for UserGroups. I then ran that workflow several times against numerous groups to identify the differences between Security/Distribution types and Universal, Global, and Domain Local Security group scopes.

Findings

I received consistent results when testing a number of combinations of group scope/types:

Security:

  • Universal Security Group: groupType(-2147483640), sAMAccountType(268435456)
  • Global Security Group: groupType(-2147483646), sAMAccountType(268435456)
  • Domain Local Security Group: groupType(-2147483644),sAMAccountType(536870912)

Distribution:

  • Universal Distribution Group: groupType(8), sAMAccountType(268435457)
  • Global Distribution Group: groupType(2), sAMAccountType(268435457)
  • Domain local Distribution Group: groupType(4),sAMAccountType(536870913)

AD Enforced Group Change Rules

ad_enforced_group_change_rules.png

It appears that AD allows for Group type to be changed regardless of Scope setting, but there are some scope change rules:

  • If Global, you can only change to Universal
  • If Domain local, you can only change to Universal
  • If Universal, you can change to either Global or Domain local

WIth that in mind, if we wish to go from Global -> Domain local or Domain local -> Global, we must first change to Universal, then proceed with final change to desired group scope.

Final Result

final_result.png

The final result is a workflow capable of changing AD:UserGroup Scope and Type.

Additionally, a pair of actions are included and used for setting the default (current) value of the scope and type for the selected group.

If you find this workflow may be of use to you, you can find it attached to this article :) Just in case there are any issues here, I have also uploaded a copy to the VMware Code site’s Sample Exchange: https://code.vmware.com/samples?id=3532