0X00002146

Fix for universal group can't have local member error 0X00002146

Windows Errors Intermediate 👁 0 views 📅 May 27, 2026

This error pops up when you try to add a local group to a universal group in Active Directory. It's a hard rule — the fix is to change the group type or scope.

What triggers this error

You're working in Active Directory Users and Computers. Maybe you're setting up a cross-domain group for file shares or email distribution. You add a group from a different domain as a member of a universal group. Then you get the error: ERROR_DS_UNIVERSAL_CANT_HAVE_LOCAL_MEMBER (0X00002146). The exact message reads: "A universal group cannot have a local group as a member."

This happens most often when the group you're trying to add has its scope set to Domain Local. Universal groups can only contain other universal groups, global groups, or individual user accounts. Domain local groups are restricted to their own domain. It's a rule baked into Active Directory since Windows 2000 — you can't break it, no workaround exists.

Root cause in plain English

Think of group scopes like building access cards. A universal group is like a master key that works in any building in the company. A domain local group is a key that only works in one building. You can't put a one-building key into a master key ring — it doesn't belong there. Active Directory enforces this to prevent permission problems that would break when you try to use the universal group across domains.

The member group you're adding has its scope set to Domain Local. Universal groups only accept members that are Global, Universal, or security principals (users, computers). The fix is either change the member group's scope or change the target group's type.

Fix: three approaches

Pick the one that fits your situation. I'll walk through each.

Option 1: Change the member group from Domain Local to Global or Universal

This works if the member group doesn't need to include other domain local groups. If it's a flat group of users, this is your best bet.

  1. Open Active Directory Users and Computers (dsa.msc).
  2. Find the group you're trying to add as a member. Right-click it and select Properties.
  3. Go to the General tab. Look at Group scope. If it shows Domain Local, you need to change it.
  4. Click Change scope. You'll see three options: Domain Local, Global, Universal. Select Global or Universal.
  5. Click OK. A warning appears: "Changing the group scope may affect group membership." That's fine — click Yes.
  6. Back in Properties, click Apply. After clicking Apply you should see the scope update in the list.
  7. Now go back to the universal group. Right-click it, select Properties, go to Members tab, and add the group again. It should work.

Option 2: Change the target group from Universal to Global

If the member group must stay as Domain Local (for example, it contains machine accounts or other local groups), change the universal group to a global group instead. Global groups can contain domain local groups from the same domain.

  1. In Active Directory Users and Computers, right-click the universal group and select Properties.
  2. Go to the General tab. Under Group scope, click Change scope.
  3. Select Global. Click OK. A warning appears — click Yes.
  4. Click Apply. After applying, the scope shows as Global.
  5. Now add the domain local group as a member. Right-click the group, Properties, Members tab, Add. Type the group name and click OK. It should work this time.

Caveat: A global group can only contain members from the same domain. If the member group is in a different domain, this option won't work. Option 1 is better for cross-domain scenarios.

Option 3: Create a new universal group and move users

If you can't change the scope of either group (maybe they're tied to applications or security policies), create a new universal group and manually add the individual users instead of the group.

  1. Right-click the OU where you want the new group, choose New > Group.
  2. Give it a name like Universal-ProjectX-Users. Set Group scope to Universal. Set Group type to Security (or Distribution, depending on need).
  3. Click OK.
  4. Open the new group's Properties, go to Members tab, and add each user from the domain local group. This is tedious but it avoids the error entirely.

What to check if it still fails

  • Mixed-mode domain functional level. If your domain is running Windows Server 2000 or 2003 mixed mode, universal groups aren't available at all. Check your domain functional level: open Active Directory Domains and Trusts, right-click your domain, select Properties. If it says "Windows 2000 mixed" or "Windows Server 2003 interim," you can't use universal groups. Raise the functional level to Windows Server 2008 or higher.
  • Group nesting limits. Even if the scope is correct, you can't nest more than a few levels deep. The hard limit is around 10 levels. Check your group chain with PowerShell: Get-ADGroupMember -Identity "GroupName" -Recursive | Measure-Object. If you see a recursion error, you've got a loop.
  • Permissions issue. Make sure the account you're using has write access to both groups. You need at least Group Membership write permission. If you're a Domain Admin, you're fine.

I've seen this error more times than I can count. The fix is almost always Option 1 — change the member group's scope to Global. Give it a shot, and you'll be back to work in five minutes.

Was this solution helpful?

ERROR_DS_UNIVERSAL_CANT_HAVE_LOCAL_MEMBER 0X00002146 universal group local member Active Directory group membership AD group scope error fix domain local group universal group nesting rules Windows Server AD error 0x2146 cannot add local group to universal Active Directory troubleshooting