Recipe 15.10. Creating a Group Account

Problem

You want to create a group account.

Solution

Using a graphical user interface

The following creates a local group:

1. Open the Computer Management snap-in (compmgmt.msc).

2. In the left pane, expand Local Users and Groups.

3. Right-click Groups and select New Group.

4. Enter a group name and description. Then click the Add button to populate the group with members.

5. Click the Create button to create the group.

The following creates a domain group:

1. Open the Active Directory Users and Computers snap-in (dsa.msc).

2. If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select Connect to Domain, enter the domain name, and click OK.

3. In the left pane, browse to the parent container of the new group, right-click on it, and select New Group.

4. Click OK.

Using a command-line interface

The lg tool from Joeware.net can be used to create local groups. Here is the generic syntax:

> lg <GroupName> -addgroup

You can set the comment for the group when you create it. Here is an example:

> lg TestGroup -addgroup -setcomment "This is a test"

To create a local group on a remote machine, prefix the group name with the target computer. For example:

> lg \\winxp1\TestGroup -addgroup -setcomment "This is a test"

You can use the dsadd command to create a group in Active Directory. <GroupDN> should be replaced with the distinguished name of the group account to create, <GroupScope> should be l, g, or u for domain local group, global group, or universal group, respectively, and -secgroup should be set to yes if the group is a security group or no otherwise. Another recommended option to set is -desc to specify a description of the group.

> dsadd group "<GroupDN>" -scope <GroupScope> -secgrp yes|no -desc "<GroupDesc>"

Here is an example:

> dsadd group "cn=mygroup,cn=users,dc=rallencorp,dc=com" -scope g -secgrp yes  -desc "A test group"

Using VBScript

' This code creates a local group on a computer. strGroupName  = "<GroupName>"  ' e.g. ExecAdminsSales strGroupDescr = "<GroupDesc>"  ' e.g. Executive Admins for Sales group strComputer = "<ComputerName>" ' e.g. winxp01 set objSystem = GetObject("WinNT://" & strComputer) set objGrp = objSystem.Create("group", strGroupName) objGrp.Description = strGroupDescr objGrp.SetInfo WScript.Echo objGrp.Name & " created successfully" ' This code creates a global security group in Active Directory. ' ------ SCRIPT CONFIGURATION ------ strGroupParentDN = "<GroupParentDN>"  ' e.g. ou=Groups,dc=rallencorp,dc=com strGroupName     = "<GroupName>"      ' e.g. ExecAdminsSales strGroupDescr    = "<GroupDesc>"      ' e.g. Executive Admins for Sales group ' ------ END CONFIGURATION --------- ' Constants taken from ADS_GROUP_TYPE_ENUM Const ADS_GROUP_TYPE_DOMAIN_LOCAL_GROUP = 4 Const ADS_GROUP_TYPE_GLOBAL_GROUP       = 2 Const ADS_GROUP_TYPE_LOCAL_GROUP        = 4 Const ADS_GROUP_TYPE_SECURITY_ENABLED   = -2147483648 Const ADS_GROUP_TYPE_UNIVERSAL_GROUP    = 8 set objOU = GetObject("LDAP://" & strGroupParentDN) set objGroup = objDomain.Create("group","cn=" & strGroupName) objGroup.Put "groupType", ADS_GROUP_TYPE_GLOBAL_GROUP _                          Or ADS_GROUP_TYPE_SECURITY_ENABLED objGroup.Put "description", strGroupDescr objGroup.SetInfo

Discussion

In each solution, a group was created with no members. For more information on how to add and remove group members, see Recipe 15.13.

See Also

MS KB 231273 (Group Type and Scope Usage in Windows), MS KB 232241 (Group Management with ADSI in Windows 2000), MS KB 320054 (HOW TO: Manage Groups in Active Directory in Windows 2000), and MSDN: ADS_GROUP_TYPE_ENUM