Windows 7 / Security and Privacy

Modifying Groups

There are a number of modifications, property changes, and management procedures you may want to apply to groups. You can change the scope, the members, and other groups contained in the group; move a group; delegate management of a group; and send mail to a group.

Finding a Group

When you have a substantial number of groups, you can use the Find function to locate the one you need to manage. Just right-click the domain or OU, and then select Find. In the Find Users, Contacts, And Groups dialog box, you can specify what type of object to find, change the starting point, or structure a search query from the available tabs. After the query has run, many administrative or management functions can be performed on the objects returned in the results window.

Saved queries in Active Directory

In Active Directory Users And Computers, you can reuse and save queries. This allows you to find groups quickly and repeatedly when you want to manage and modify them. You can locate the Saved Queries folder in the default position at the top of the Active Directory Users And Computers console tree (left pane). You cannot save queries using the Find menu when you right-click a group. You can only save them using the Saved Query procedure that is found in the uppermost part of the tree in Active Directory Users And Computers and creating a new query.

Managing the Properties of Groups

When you double-click a group name in Active Directory Users And Computers, the Group Properties dialog box appears. You can configure the following six areas or functions:

  • General: You change the description or group e-mail address here. In addition, you may be able to change the type of group or the scope of the group. When in Windows Server 2003 or higher domain functional level, there are limitations on changing group scope.
  • Members: You can list, add, and remove group members.
  • Member: Of Lists the groups the current group is a member of. These can be domain local groups or universal groups from the local domain or universal groups from other domains in the current domain tree or forest.
  • Managed By: Add, clear, or modify the user account you want to make responsible for managing this group.
  • Object: View the canonical name of the group object. This tab is visible only in Advanced view. To access Advanced view, select Advanced Features from the View menu in Active Directory Users And Computers.
  • Security: Used to configure advanced permissions for users and groups that can access the group object in Active Directory. This tab is visible only in Advanced view.
Table-6 Group Scope Conversions in Windows Server 2003 or Higher Domain Functional Level 
Scope	     Can Be Converted	Can Be Converted    Can Be Converted
of Group     to Universal	to Global	    to Domain Local
Universal     NA 		Yes 		    Yes
Global        Yes		NA 		    No
Domain local  Yes 		No 		    NA

Modifying Other Group Settings

You can modify other group settings using Active Directory Users And Computers. You can perform the following tasks:

  • Move a group: To move a group, right-click it, and then select Move. The Move dialog box appears, allowing you to select the container to which you want to move the group. Alternatively, you can drag the group icon into a new container. You can also select multiple groups to move by using Windows keyboard shortcuts such as Ctrl, then selecting multiple groups, or using Shift and selecting the first and last group.
  • Rename a group: Right-click the group name, and then select Rename. Type the new group name, and then press Enter. Multiple group selection is disabled for this function.
  • Send mail to a group: Right-click the group name, and then select Send Mail. An error will occur if no e-mail address has been configured on the General tab of Group Properties. Otherwise, the default mail client will be used to open a new mail message addressed to the group, which you can complete and send.
Note:
Moving or renaming groups can alter the effective permissions of users and groups in unpredictable ways. With this in mind, you might want to check the effective permissions for member users and groups to ensure that the permissions are as expected.
[Previous] [Contents] [Next]

In this tutorial:

  1. Managing Users, Groups, and Computers
  2. Managing Domain User Accounts
  3. Configuring User Account Policies
  4. Enforcing Password Policy
  5. Configuring Account Lockout Policy
  6. Creating Password Settings Objects and Applying Secondary Settings
  7. Understanding User Account Capabilities, Privileges, and Rights
  8. Assigning User Rights
  9. Creating and Configuring Domain User Accounts
  10. Configuring Account Options
  11. Configuring Profile Options
  12. Troubleshooting User Accounts
  13. Implementing and Creating Preconfigured Profiles
  14. Configuring Local User Profiles
  15. Implementing Mandatory User Profiles
  16. Managing User Data
  17. Using Offline Files
  18. Configuring Offline Files on Clients
  19. Maintaining User Accounts
  20. Moving User Accounts
  21. Resetting a User's Domain Password
  22. Creating a User Account Password Backup
  23. Managing Groups
  24. Understanding the Scopes of Groups
  25. Creating a Group
  26. Creating group accounts at the command line
  27. Modifying Groups
  28. Managing Computer Accounts
  29. Moving a Computer Account
  30. Configuring Properties of Computer Accounts
  31. Troubleshooting Computer Accounts