After you assess user needs and have a group plan in place, you are ready to create your groups. To implement your group plan, you should be familiar with the guidelines for creating groups. This lesson shows you how to create groups, delete groups, add members to groups, and change the group type and scope.
After this lesson, you will be able to
Create and delete groups
Add members to groups
Change group type and scope
Estimated lesson time: 25 minutes
Use the Active Directory Users and Computers console to create and delete groups. When you create groups, create them in the Users container or in another container or an organizational unit (OU) that you have created specifically for groups. As your organization grows and changes, you may discover that there are groups that you no longer need. Be sure that you delete groups when you no longer need them. This will help you maintain security so that you do not accidentally assign permissions for accessing resources to groups that you no longer need.
To create a group
Click Start, point to Programs, point to Administrative Tools, then click Active Directory Users And Computers.
Click the domain, right-click the Users container, point to New, and click Group.
Complete the New Object-Group dialog box (shown in Figure 8.4) and click OK.
Table 8.4 describes the options in the New Object-Group dialog box in the Active Directory Users and Computers console.
Table 8.4 Options in the New Object-Group Dialog Box
| Option | Description |
|---|---|
Group Name | The name of the new group. The object name must be unique in the domain where you create the group. |
Group Name (pre-Windows 2000) | The name of the group from prior versions of Windows, such as Microsoft Windows NT 4.0 or Microsoft Windows NT 3.5.1. This is filled in automatically for you based on the group name you type in. |
Group Scope | The group scope. Click Domain Local, Global, or Universal. |
Group Type | The type of group. Click Security or Distribution. |
Figure 8.4 New Object-Group dialog box
Each group that you create has a unique, nonreusable identifier called the security identifier (SID). Windows 2000 uses the SID to identify the group and the permissions that are assigned to it. When you delete a group, Windows 2000 does not use the SID for that group again, even if you create a new group with the same name as the group that you deleted. Therefore, you cannot restore access to resources by recreating the group.
When you delete a group, you delete only the group and remove the permissions and rights that are associated with it. Deleting a group does not delete the user accounts that are members of the group.
NOTE You cannot delete a group if one of the group''s members has the group set as his or her primary group.
To delete a group
Right-click the group, then click Delete.
Click Yes on the Active Directory message box.
After you create a group, you add members. Members of groups can include user accounts, contacts, other groups, and computers. You can add a computer to a group to give one computer access to a shared resource on another computer—for example, for remote backup. To add members, use the Active Directory Users and Computers console.
To add members to a group
Start the Active Directory Users and Computers console and expand Users.
Right-click the appropriate group, then click Properties.
In the Properties dialog box, click the Members tab, then click Add.
The Select Users, Contacts, Computers, Or Groups dialog box appears, as shown in Figure 8.5.
Figure 8.5 The Select Users, Contacts, Computers, Or Groups dialog box
In the Look In list you can select a domain from which to display user accounts and groups, or you can select Entire Directory to view user accounts and groups from anywhere in Active Directory. In the Name column, select an object that you want to add and click Add.
The accounts you have selected are listed in the box at the bottom of the Select Users, Contacts, Computers, Or Groups dialog box.
NOTE If there are multiple user accounts or groups that you want to add, you can repeat the process of selecting them one at a time and then click Add, or you can hold down the Shift or Ctrl key to select multiple user accounts or groups at a time. The Shift key allows you to select a consecutive range of accounts and the Ctrl key allows you to select specific accounts that you wish to add.
Review the accounts to make sure that they are the accounts you wish to add to the group and click OK to add the members.
On the Properties dialog box, click OK.
NOTE You can also add a user account or group by using the Member Of tab in the Properties dialog box for that user account or group. Use this method to quickly add the same user or group to multiple groups.
As group functions change, you may need to change a group type. For example, suppose a distribution group contains members from multiple departments working on the same project for the purpose of sending e-mail. As the project progresses, it becomes necessary for the members to access a common database. By converting the distribution group to a security group and assigning permissions to the group, you can provide the project members with access to the common database. Group types may be changed only when Windows 2000 is operating in native mode.
To change group type
Right-click the group, then click Properties.
Change the group type in the General tab of the Properties dialog box for the group.
Changing the Group Scope to Universal
As your network changes, you may need to change a global or domain local group scope to universal. For example, you may want to change an existing domain local group to a universal group when you need to assign permissions to allow users to gain access to resources in other domains. Group scopes may be changed to universal only when Windows 2000 is operating in native mode.
The following group scopes can be changed:
A global group to a universal group, but only if the global group is not a member of another global group
A domain local group to a universal group, but only if the domain local group does not contain another domain local group
NOTE Windows 2000 does not allow changing the scope of a universal group because usage and membership rules for other groups are more restrictive.
To change the scope of a group
Right-click the group, then click Properties.
Change the group scope in the General tab of the Properties dialog box for the group.
Use the Local Users and Groups snap-in within the Computer Management console to create local groups. You create local groups in the Groups folder.
To create a local group
Click Start, point to Programs, point to Administrative Tools, and then click Computer Management. For Windows 2000 Professional, click Start, point to Settings, and open the Control Panel.
Expand the Local Users and Groups snap-in, right-click Groups, and select New Group.
Complete the New Group dialog box (shown in Figure 8.6), then click OK.
Figure 8.6 New Group dialog box
Table 8.5 describes the options presented in the New Group dialog box in the Local Users and Groups snap-in.
Table 8.5 Options in the New Group Dialog Box
| Option | Description |
|---|---|
Group Name | A unique name for the local group. This is the only required entry. Use any character except for the backslash (\). The name can contain up to 256 characters; however, very long names may not display in some windows. |
Description | A description of the group. |
Members | Members of the local group. |
Add | Adds a user or global group to the list of members. |
Remove | Removes a user or global group from the list of members. |
Create | Creates the group. |
You can add members to a local group when you create the group or after you create the local group.
To delete a local group
Right-click the group, then click Delete.
Click Yes on the Local Users and Groups message box.
To add members to a local group
Expand the Local Users and Groups snap-in, then expand Groups.
Right-click the appropriate group, then click Properties.
In the Properties dialog box, click Add.
The Select Users Or Groups dialog box appears, as shown in Figure 8.7.
Figure 8.7 The Select Users Or Groups dialog box
The Look In list shows the computer for which you are creating a group.
Select the user account that you want to add, then click Add.
Review the accounts to make sure that they are the accounts you wish to add to the group, then click OK to add the members.
On the Properties dialog box, click OK.
In this practice you create a global security group. You then add members to the group. To add members to the group, you add two user accounts, User1 and User5, which you created previously. Next you create a domain local security group that you use to assign permissions to gain access to the sales reports. Finally, you provide access to the sales reports for the members of the security global group by adding the global group to the domain local group.
Exercise 1: Creating a Global Group and Adding Members
In this exercise you create a global security group and add members to the group.
To create a global group in a domain
Log on to your domain as Administrator.
Click Start, point to Programs, point to Administrative Tools, then click Active Directory Users And Computers.
Expand your domain and double-click Users.
In the details pane, Active Directory Users and Computers displays a list of current user accounts and built-in global groups.
Right-click the Users container, point to New, then click Group.
The New Object-Group dialog box appears. Notice the different group scopes and types that are available. You use global security groups to group user accounts.
Type Sales in the Group Name box.
Select Global under Group Scope and select Security under Group Type.
Click OK.
Windows 2000 creates the group and adds it to the Users container.
To add members to a global group
In the details pane of Active Directory Users and Computers, double-click Sales.
The Sales Properties dialog box displays the properties of the group.
To view the members of the group, click the Members tab.
The Sales Properties dialog box displays a list of group members. This list is currently empty.
To add a member to a group, click Add.
In the Select Users, Contacts, Or Computers dialog box, in the Look In list, ensure that your domain is selected.
In the list, select User One, then click Add.
In the list, select User Five, then click Add.
Click OK.
User One and User Five are now members of the Sales security global group.
Click OK to close the Sales Properties dialog box.
Exercise 2: Creating a Domain Local Group and Adding Members
In this exercise you create a domain local group that you use to assign permissions to gain access to sales reports. Because you use the group to assign permissions, you make it a domain local group. You then add members to the group by adding the security global group you created in Exercise 1.
To create a domain local group in a domain
Make sure that Active Directory Users and Computers is open with the Users container selected in the console tree.
Right-click the Users container, point to New, then click Group.
The New Object-Group dialog box appears.
In the Group Name box, type Reports .
Select Domain Local under Group Scope and select Security under Group Type.
Click OK.
Windows 2000 creates the domain local group and adds it to the Users container.
To add members to a domain local group
In the details pane of Active Directory Users and Computers, double-click Reports.
The Reports Properties dialog box displays the properties of the Reports group.
To view the members of the group, click the Members tab.
The Reports Properties dialog box displays a list of group members. This list is currently empty.
To add a member to the group, click Add.
In the Select Users, Contacts, Computers, Or Groups dialog box, in the Look In list, select Entire Directory.
The Select Users, Contacts, Computers, Or Groups dialog box displays available objects that can be part of the group and shows the location of each object as domain/Users.
Above the list of user accounts, groups, and computers, click Name.
Active Directory Users and Computers sorts all entries in the list alphabetically by name.
Click the Sales group, click Add, then click OK.
The Sales global group is now a member of the Reports domain local group.
Click OK to close the Reports Properties dialog box.
In this lesson you learned some important guidelines for creating groups. First you should determine the required group scope based on how you want to use the group. Then you should determine if you have the necessary permissions to create a group in the appropriate domain. By default, in a domain, members of the Administrators group or the Account Operators group have the necessary permissions to create groups. An administrator can give a user the permission to create groups in the domain or in a single container or OU.
You also learned that you use the Active Directory Users and Computers console to create, delete, add members to, and change the group scope and type for global, domain local, and universal groups. You use the Local Users and Groups snap-in in the Computer Management console to create, delete, and add members to local groups.
In the practice portion of this lesson, you created a global security group and added members to it. You then created a domain local security group and added members by adding the global security group you created.