Groups Tasks |
We'll consider separately tasks for administering groups in domain and workgroup environments.
Domain local groups, global groups, and universal groups are administered using the Active Directory Users and Computers console. After opening this console, expand the console tree and select the OU in which the group is located or where it will be created. Then proceed with the steps described in the following sections.
Right-click on group Properties Members Add select domain select members Add
When adding members, you can select multiple user accounts by the usual methods (e.g., Shift-click or Ctrl-click). You can also drag and drop.
Right-click on OU New Group specify group name specify type and scope
Group names must be unique within the domain in which the group resides. By default, when you specify the group name, this also becomes the Pre-Windows 2000 or downlevel group name as well, though these can be different if you desire . Downlevel group names are used in a mixed-mode environment to provide compatibility with NT and earlier computers.
To create groups in a given domain, you must be a member of either the Administrators or the Account Operators built-in groups for that domain. When creating a group, any of the two group types may be combined with any of the three group scopes to give a total of six possible kinds of groups you can create. Note, however, that you can't create universal groups unless the domain functional level for your domain is Windows 2000 native or Windows Server 2003.
Right-click on group Delete
Deleting a group doesn't delete the members of the group.
|
If you have a large number of groups, you can use the Find function of Active Directory Users and Groups to find the group you want to work with. You can find groups in a particular domain or OU by:
Right-click on domain or OU Find
You can also change the focus of the Find Users, Contacts, and Groups box to search the entire directory. To find all the groups of which a particular user is a member, do the following:
Right-click on user account Properties Member Of
Right-click on group Properties
This opens a properties sheet with the following tabs.
Lets you change the type and scope of the group. You can always change the type of a group from security to distribution and vice versa, but there are restrictions on which scope conversions you can perform (see Table 4-20).
Scope of group | Can be converted to | ||
---|---|---|---|
Domain local | Global | Universal | |
Domain local | No | No | Yes |
Global | No | No | Yes |
Universal | Yes | Yes | No |
Lists the user accounts that belong to the group and lets you add new members or remove existing ones.
Lists other groups of which this group itself is a member. This can be domain local groups and universal groups from the local domain or universal groups from other domains in the current domain tree or forest.
Lets you specify the user account or contact that is responsible for managing the selected group. If you select an existing user account or contact, the personal information for that user is automatically imported into the fields on this sheet.
Right-click on group Move select destination OU
Right-click on group Rename specify new name
Right-click on group Send mail
This opens Outlook Express as your default mail client, unless you have other software installed, such as Office 2000. Make sure you configure your mail client before using this feature, or you will be prompted to do so the first time you try to send mail to a group.
Local groups are managed using the Local Users and Groups node under System Tools in Computer Management. This snap-in is available only on member servers running WS2003 and client computers running XP. You can also create a console containing this snap-in as follows :
Start Run mmc Add/Remove Snap-in Add select Local Users and Groups Add select Local Computer to install the snap-in
Now proceed as follows.
Right-click on Groups container New Group specify group name Add select members Add Create
The New Group box stays open after you click Create, enabling you to continue creating more local groups. You can create a group without any members and then add members later if you prefer.
Right-click on group Add to Group Add select members Add
Right-click on group Delete
Deleting a group doesn't delete the members of the group. If you have various permissions assigned to a group and you delete the group, you can't regain those permissions simply by creating a new group with the same name as the old group. This is because groups are internally represented within the local security database by a unique SID assigned when then group is created. When you create a new group with the same name as the deleted group, the new group will have a different SID, so the group's permissions must be assigned again from scratch.
Right-click on group Rename