Recipe 7.1 Creating a Group

7.1.1 Problem

You want to create a group.

7.1.2 Solution Using a graphical user interface
  1. Open the Active Directory Users and Computers (ADUC) snap-in.

  2. If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select Connect to Domain, enter the domain name and click OK.

  3. In the left pane, browse to the parent container of the new group, right-click on it, and select New Group.

  4. Enter the name of the group and select the group scope (global, domain local, or universal) and group type (security or distribution).

  5. Click OK. Using a command-line interface

In the following example, <GroupDN> should be replaced with the DN of the group to create, <GroupScope> should be l, g, or u for domain local, global, and universal groups, respectively, and -secgroup should be set to yes if the group is a security group or no otherwise. Another recommended option is to set -desc for specifying a group description.

> dsadd group "<GroupDN>" -scope <GroupScope> -secgrp yes|no -desc "<GroupDesc>" Using VBScript
' The following code creates a global security group.
strGroupParentDN = "<GroupParentDN>"  ' e.g. ou=Groups,dc=rallencorp,dc=com
strGroupName     = "<GroupName>"      ' e.g. ExecAdminsSales
strGroupDescr    = "<GroupDesc>"      ' e.g. Executive Admins for Sales group
' ------ END CONFIGURATION ---------

' Constants taken from ADS_GROUP_TYPE_ENUM

set objOU = GetObject("LDAP://" & strGroupParentDN)
set objGroup = objDomain.Create("group","cn=" & strGroupName)
objGroup.Put "groupType", ADS_GROUP_TYPE_GLOBAL_GROUP _
                         Or ADS_GROUP_TYPE_SECURITY_ENABLED
objOU.Put "description", strGroupDescr

7.1.3 Discussion

In each solution, a group was created with no members. For more information on how to add and remove members, see Recipe 7.4.

The groupType attribute contains a flag indicating both group scope and type. The available flag values are defined in the ADS_GROUP_TYPE_ENUM enumeration. Recipe 7.6 contains more information on setting the group scopes and types.

7.1.4 See Also

Recipe 7.4 for adding and removing group members, Recipe 7.6 for setting group scope and type, MS KB 231273 (Group Type and Scope Usage in Windows), MS KB 232241 (Group Management with ADSI in Windows 2000), MS KB 320054 (HOW TO: Manage Groups in Active Directory in Windows 2000), and MSDN: ADS_GROUP_TYPE_ENUM

    Chapter 3. Domain Controllers, Global Catalogs, and FSMOs
    Chapter 6. Users
    Appendix A. Tool List