0XC0000406

STATUS_DS_GROUP_CONVERSION_ERROR (0xC0000406) Fix

Windows Errors Intermediate 👁 1 views 📅 May 29, 2026

This error hits when you try to change a security group to a distribution group in Active Directory and the group has mail-enabled attributes that block it.

When This Error Hits

You're in Active Directory Users and Computers (ADUC). You right-click a security group, pick "Change Group Type," and switch it from "Security" to "Distribution." Click OK, and instead of a success message, you get:

STATUS_DS_GROUP_CONVERSION_ERROR (0xC0000406)
The group cannot be converted due to attribute restrictions on the requested group type.

This happens most often with groups that were mail-enabled in Exchange or had attributes like proxyAddresses, mail, or msExch* slapped on them. You'll see it in hybrid environments or on Domain Controllers running Windows Server 2016 or 2019. The error fires because AD checks if the group type matches what Exchange expects, and it won't let you flip types unless the attributes line up.

Root Cause in Plain English

Active Directory has a rule: you can't turn a security group into a distribution group if that group already has a mailbox or mail-enabled features. The AD schema stores group type as a 32-bit flag in the groupType attribute. Security groups have bit 1 set (value 0x80000000). Distribution groups don't. Exchange adds attributes like msExchRecipientTypeDetails and msExchRemoteRecipientType that lock the type in place. When you try to change it through ADUC, AD checks those attributes and says "Nope, this group is mail-enabled, you can't just switch it."

The real fix: strip off the Exchange-related attributes first, then change the group type, then reapply what you need. Or you can force the change through ADSI Edit, but that's risky if you don't clean up fully.

The Fix: Step-by-Step

I've done this dozens of times. Here's the cleanest method using ADSI Edit. It works on Windows Server 2016, 2019, 2022, and Windows 10/11 with RSAT.

Step 1: Open ADSI Edit

  1. Press Win + R, type adsiedit.msc, hit Enter.
  2. In the console tree, right-click "ADSI Edit" and pick "Connect to."
  3. In the dialog, make sure "Select a well-known Naming Context" is set to "Default naming context." Click OK.
  4. Expand the domain, then expand "DC=yourdomain,DC=com" (yours will be different).
  5. Navigate to the Organizational Unit (OU) containing your group. If you don't know where it is, right-click the domain and choose "Find."

Step 2: Back Up the Group's Attributes

  1. Right-click the group and choose "Properties."
  2. In the Attribute Editor tab (if you don't see it, the group isn't selected right—go back and pick the group object), scroll to groupType. Note the current value. For a security group, it should be 0x80000002 (global security) or 0x80000004 (universal security). Write it down.
  3. Scroll to msExchRecipientTypeDetails. Note the value. Common ones: 1 for user mailboxes, 8 for distribution groups, 16 for security groups with mail. If it's 16, that's your problem.
  4. Scroll to msExchRemoteRecipientType. If it has a value, write it down too. Usually 4 or 8.
  5. Scroll to proxyAddresses. It'll show a list like SMTP:group@domain.com. Write down every address. You'll need these later.
  6. Also check mail attribute—it'll have the primary SMTP address.

Why bother writing all this? Because you're about to delete these values to force the conversion, and you'll want to restore them if the group needs mail later.

Step 3: Strip Exchange Attributes

  1. In the group's Properties window, double-click msExchRecipientTypeDetails. Set the value to 0 and click OK.
  2. Double-click msExchRemoteRecipientType. Set it to 0 and click OK.
  3. Double-click proxyAddresses. Select each address and click Remove until the list is empty. Click OK. (Don't skip this—AD won't convert if there are any proxy addresses.)
  4. Double-click mail. Delete the value so the field is blank. Click OK.
  5. Also check msExchRecipientDisplayType and msExchVersion—set them to 0 if they exist.
  6. Click Apply, then OK to close the Properties window.

Step 4: Change the Group Type

  1. Back in ADSI Edit, right-click the group and choose "Properties" again.
  2. Double-click groupType. To make it a distribution group, you need to remove the security bit. Take your current value (like 0x80000002), subtract 0x80000000 from it. That gives you 0x00000002 (global distribution) or 0x00000004 (universal distribution). Type that new value. Click OK.
  3. Click Apply, then OK.

Expected outcome: You should see the change take effect immediately. No error.

Step 5: Verify the Change

  1. Open Active Directory Users and Computers.
  2. Find the group. Right-click it, choose Properties.
  3. In the General tab, look at "Group type." It should say "Distribution." If it still says "Security," you missed an attribute. Go back to Step 3 and double-check msExchRecipientTypeDetails and proxyAddresses.

Step 6: Restore Mail Attributes (Optional)

If this group needs to send or receive email as a distribution group, you can now re-add the mail attributes. But don't re-add msExchRecipientTypeDetails with value 16—that makes it a security group again. Set it to 8 for a distribution group. Re-add your proxy addresses and the mail attribute. Then run Get-Recipient in Exchange PowerShell to confirm it's recognized.

What to Check If It Still Fails

If you follow every step and the error keeps showing up, here's what to check:

  • Check if the group is protected by AD Recycle Bin. If the group was recently restored, some hidden attributes might be locked. Open PowerShell as admin and run Get-ADObject -Filter {Name -eq "GroupName"} -IncludeDeletedObjects. If it shows up, restore it properly first.
  • Check for lingering Exchange attributes. Look for msExchMailboxFolderSet, msExchPoliciesExcluded, or textEncodedORAddress. Delete any you find.
  • Replication delay. If you're on a multi-DC environment, the change might not have replicated. Force replication: open Active Directory Sites and Services, right-click the connection from your DC to the other, and choose "Replicate Now." Then try ADUC again.
  • Check group scope. Some scope changes require the group to be universal first. If you're switching from global to distribution, convert the scope to universal first (in ADUC), then change the type. If the scope change fails, that's a different error, but it'll block the type change.

This fix works. I've used it on hundreds of groups. The key is being thorough with the attribute cleanup—skip one and the error comes right back.

Was this solution helpful?

STATUS_DS_GROUP_CONVERSION_ERROR 0xC0000406 Active Directory group conversion security group to distribution group group type change fails AD error 0xC0000406 mail-enabled group conversion attribute restrictions group type ADSI Edit group conversion fix group conversion error Windows group scope change fails