JSI Tip 5632. How do I manage groups in Windows 2000 Active Directory?

NOTE: The text in the following Microsoft Knowledge Base article is provided so that the site search can find this page. Please click the Knowledge Base link to insure that you are reading the most current information.

Microsoft Knowledge Base article Q320054 contains:

SUMMARY

This article explains how to manage groups in Active Directory.

back to the top

About Groups

Groups are Active Directory or local computer objects that can contain users, contacts, computers, and other groups.

You can use groups to:
  • Manage user and computer access to shared resources such as Active Directory objects and their properties, network shares, files, directories, and printer queues.
  • Filter Group Policy settings.
  • Create e-mail distribution lists.
The default groups that are put in the Builtin folder for Active Directory Users and Computers are:

  • Account Operators
  • Administrators
  • Backup Operators
  • Guests
  • Print Operators
  • Replicator
  • Server Operators
  • Users
The predefined groups that are put in the Users folder for Active Directory Users and Computers are:
  • Group name
  • Cert Publishers
  • Domain Admins
  • Domain Computers
  • Domain Controllers
  • Domain Guests
  • Domain Users
  • Enterprise Admins
  • Group Policy Admins
  • Schema Admins
Unlike groups, organizational units are used to create collections of objects in a single domain, but do not confer membership. Organizational units are logical containers into which you can put users, groups, computers, and other organizational units. It can contain objects only from its parent domain. An organizational unit is the smallest scope to which you can apply a Group Policy or delegate authority. The administration of an organizational unit and the objects it contains can be delegated to an individual administrator or a group.

Group Policy objects can be applied to sites, domains or organizational units, but never to groups. A Group Policy object is a collection of settings that affects users or computers. Group membership is used to filter which Group Policy objects will affect the users and computers in the site, domain, or organizational unit.

For more information about Group Policy, see the "Understanding Group Policy" topic in Windows 2000 Help.

For more information about groups and how to use them, see the "Understanding Groups" topic in Windows 2000 Help.

Manage Groups

back to the top

Add a Group

  1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the console tree, double-click the domain node.
  3. Right-click the folder in which you want to add the group, point to New, and then click Group.
  4. Type the name of the new group.

    By default, the name that you type is also entered as the pre-Windows 2000 name of the new group.
  5. Click the Group scope that you want.
  6. Click the Group type that you want.
NOTE: If the domain in which you are creating the group is in mixed-mode, you can only select security groups with Domain local or Global scopes.

back to the top

Add a member to a group

  1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the console tree, double-click the domain node.
  3. Click the folder that contains the group to which you want to add a member.
  4. In the Details pane, right-click the group, and then click Properties.
  5. Click the Members tab, and then click Add.
  6. Click Look in to display a list of domains from which users and computers can be added to the group, and then click the domain containing the users and computers that you want to add.
  7. Click the users and computers to be added, and then click Add.
NOTE: Membership in a particular group can include users and computers. Additionally, membership in a particular group can include contacts and other groups.

back to the top

Convert a Group to Another Group Type

  1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the console tree, double-click the domain node.
  3. Click the folder that contains the group.
  4. In the Details pane, right-click the group, and then click Properties.
  5. Click the General tab, and then under Group type, click the group type.
back to the top

Change Group Scope

  1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the console tree, double-click the domain node.
  3. Click the folder that contains the group.
  4. In the Details pane, right-click the group, and then click Properties.
  5. Click the General tab, and then click the group scope under Group scope.
back to the top

Delete a Group

  1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the console tree, double-click the domain node.
  3. Click the folder that contains the group.
  4. In the Details pane, right-click the group, and then click Delete.
NOTE: By default, local groups provided automatically by Windows 2000, such as Administrators and Account Operators, are located in the Builtin folder. By default, common global groups, such as Domain Admins and Domain Users, are located in the Users folder. New groups can be added or moved to any folder. Microsoft recommends that you locate new groups in an organizational unit folder.

back to the top

Find a Group

  1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the console tree, right-click the domain node, and then click Find.
  3. Click the Users, Contacts, and Groups tab. In the Name box, type the name of the group that you want to find.
  4. Click Find Now.
NOTES:
  • By default, local groups that are provided automatically by Windows 2000, such as Administrators and Account Operators, are located in the Builtin folder. By default, common global groups, such as Domain Admins and Domain Users, are located in the Users folder. New groups can be added or moved to any folder; it is recommended that they be located in an organizational unit folder.
  • Use the Advanced tab for more powerful search options.
back to the top

Find Groups in Which a User Is a Member

  1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the console tree, click Users under the domain node, or click the folder that contains the user account.
  3. In the details pane, right-click a user account, and then click Properties.
  4. Click the Member Of tab.
NOTE: By default, local groups that are provided automatically by Windows 2000, such as Administrators and Account Operators, are located in the Builtin folder. By default, common global groups, such as Domain Admins and Domain Users, are located in the Users folder. New groups can be added or moved to any folder. Microsoft recommends that you locate new groups in an organizational unit folder.

back to the top

Modify Group Properties

  1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the console tree, double-click the domain node.
  3. Click the folder that contains the group.
  4. In the Details pane, right-click the group, and then click Properties.
back to the top

Remove a Member from a Group

  1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the console tree, double-click the domain node.
  3. Click the folder that contains the group.
  4. In the Details pane, right-click the group, and then click Properties.
  5. Click the Members tab.
  6. Click the members whom you want to delete, and then click Remove.
NOTE: Local groups provided automatically by Windows 2000, such as Administrators and Account Operators, are located in the Builtin folder by default. Common global groups, such as Domain Admins and Domain Users, are located in the Users folder by default. New groups can be added or moved to any folder; it is recommended that they be located in an organizational unit folder.

back to the top

Rename a Group

  1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the console tree, double-click the domain node.
  3. Click the folder in which the group is located.
  4. In the Details pane, right-click the group, and then click Rename.
  5. Type the new group name.
NOTE: Local groups provided automatically by Windows 2000, such as Administrators and Account Operators, are located in the Builtin folder by default. Common global groups, such as Domain Admins and Domain Users , are located in the Users folder by default. New groups can be added or moved to any folder. Microsoft recommends that you locate new groups in an organizational unit folder.

back to the top


Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish