Creating a Group
You may create groups in the Users container or in a new OU that you have created in the domain. To create a group, start Active Directory Users And Computers. Right-click the Users container or the OU in which you want to place the group, point to New, and then select Group. This displays the New Object-Group dialog box. Type a group name, and then select the Group Scope and Group Type. Click OK to create the group.
Windows Server 2008 has three group scopes and two group types you can select from. This allows you to create six different combinations of groups. You must be a member of the Account Operators, Domain Admins, or Enterprise Admins group to create new groups.
Note:
The built-in accounts for Active Directory in Windows Server 2008 are located in two places. The built-in domain local groups such as Administrators, Account Operators, and Backup Operators are located in the Builtin container. Built-in global groups such as Domain Admins and Enterprise Admins are located in the Users container.
Adding Members to Groups
The easiest way to add users to a group is to right-click the user in the details pane of Active Directory Users And Computers, and then select Add To A Group. The Select Groups dialog box appears and you can select the group of which the user is to become a member. You can also get to the same dialog box by right-clicking on the user name, selecting Properties, clicking the Member Of tab, and then clicking Add.
Note: To add multiple users to a group, select more than one user, using Shift+click or Ctrl+click, and follow the same steps.
If you want to add both users and groups as members of a group, you can do this by performing the following steps:
- Double-click the group entry in Active Directory Users And Computers. This opens the group's Properties dialog box.
- On the Members tab, click Add to add accounts to the group.
- Use the Select Users, Contacts, Computers, Or Groups dialog box to choose users, computers, and groups that should be members of the currently selected group. Click OK.
- Repeat steps 2 and 3 as necessary to add additional users, computers, and groups as members.
- Click OK.
Deleting a Group
Deleting a group is as simple as right-clicking the group name within Active Directory Users And Computers, and then selecting Delete. You should be very careful when deleting groups because, though it does not delete the user accounts contained by the group, the permissions you may have assigned to the group are lost and cannot be recovered by merely re-creating the group with the same name.
CAUTION: The permissions on groups are internally characterized within Active Directory by unique SIDs that are allocated when the group is created. If you delete a group and then re-create it, it will have a new SID and thus new permissions.
In this tutorial:
- Managing Users, Groups, and Computers
- Managing Domain User Accounts
- Configuring User Account Policies
- Enforcing Password Policy
- Configuring Account Lockout Policy
- Creating Password Settings Objects and Applying Secondary Settings
- Understanding User Account Capabilities, Privileges, and Rights
- Assigning User Rights
- Creating and Configuring Domain User Accounts
- Configuring Account Options
- Configuring Profile Options
- Troubleshooting User Accounts
- Implementing and Creating Preconfigured Profiles
- Configuring Local User Profiles
- Implementing Mandatory User Profiles
- Managing User Data
- Using Offline Files
- Configuring Offline Files on Clients
- Maintaining User Accounts
- Moving User Accounts
- Resetting a User's Domain Password
- Creating a User Account Password Backup
- Managing Groups
- Understanding the Scopes of Groups
- Creating a Group
- Creating group accounts at the command line
- Modifying Groups
- Managing Computer Accounts
- Moving a Computer Account
- Configuring Properties of Computer Accounts
- Troubleshooting Computer Accounts
