Why can't we directly change a group from global scope to domain local or vice versa?
If we need to change the scope of a group from global to domain local or vice versa we first need to change it to Universal. What is the reason for this?
I suppose you cannot do it, because some checks should be done. For example if group's scope is Domain Local and it contains foreign principals (i.e. accounts from external AD Forest), the conversion is not possible:
Other reason may be that the UI and APIs are rather old and Microsoft have had decided not to add new functionalities - who knows (:
UPDATE: I've tested changing group's scope with PowerShell:
Get-ADGroup testgroup | Set-ADGroup -GroupScope Global
The result is similar:
Set-ADGroup : The request is not supported
So actually the check is performed by the domain controller, which returns error 50 (0x32) - ERROR_NOT_SUPPORTED.
That means to me - there is no such built in functionality, because in most cases conversion expects manual work i.e. removing foreign principals etc.
You can still do it, given that the group doesn't yet have any conflicting membership. You can convert it to universal, then back to domain local.