Changing Group Types and Scopes

This is more of a personal reminder than anything.
Yesterday I was writing some c# code to change the group scope in Active Director (AD) and it was failing.
As I get time I will do more on groups and group enumeration because it can be a bit tricky but this will focus more on security group scopes.

Group Type is the "type" of group it is. It is either going to be a type of distribution or security.
Ref: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/window...(v=ws.10)
The best way to think of it it is one is related to email and the other is related to securing a resource (file share, access, etc).
Microsoft does allow security enabled distribution groups but I do not think that is advisable unless absolutely necessary. The reason for this
is that someone can add someone to a distribution group thinking they are giving them mail access all the while on the backend they are giving them access to an actual resource.

Group Scope is relate to what can be added to the group.
Ref: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/window...(v%3dws.10)
This can get a bit tricky but basically global scope will not allow any resources from a foreign domain, the others will.

Here is where the limitations come in from a coding perspective.
Every time I tried to change from global to domain local it failed with a server denied request. Same thing happened if I tried to change it from a domain local to a global group. Both changed to universal groups without a problem. Even if you looked at a global group in ADUC, the domain local selection is grayed out and not available.
It turns out that when changing group types:
To change a global group to a domain local group you must first change it to a universal group scope.
To change it back again, you must do the same thing and change it to a universal group and then change it to a global group.

To note however, this will depend on the member objects within the group! (my tests were empty groups)
If there are objects are in the group not supported by the scope you are trying to change to, say a foreign security principal (user from another domain), it will fail.
Foreign security principals cannot reside in a global group and therefore you are restricted from changing the group type.

One consideration if you are planning to just change to universal and then change to domain local is replication.
If you are planning to simply change to universal and then immediately change to domain local.. if your first call goes to one DC and the next call goes to another, the first change may not have replicated to the second DC and therefore it will fail. This can happen if you are hitting DNS or load balancer and it round robins you to the next DC in the list.
This can be resolved by dynamically getting the domain controller name on your first call to insure that your next call goes directly to that domain controller.

Setting the values of the scope and type are normally done by combining the values, thought I was actually using ActiveDS via enums to set the values but will try to get the code up soon.
There are however many articles out there regarding the setting of the values already.
Value Description
1 (0x00000001) Specifies a group that is created by the system.
2 (0x00000002) Specifies a group with global scope.
4 (0x00000004) Specifies a group with domain local scope.
8 (0x00000008) Specifies a group with universal scope.
16 (0x00000010) Specifies an APP_BASIC group for Windows Server Authorization Manager.
32 (0x00000020) Specifies an APP_QUERY group for Windows Server Authorization Manager.
2147483648 (0x80000000) Specifies a security group. If this flag is not set, then the group is a distribution group

37.8269817,-122.4251495,06-17-2019 09:33:41 AM,!Picking Pateunias