Recipe 16.12. Creating a Group AccountProblemYou want to create a group account. SolutionUsing a graphical user interface
Using a command-line interfaceIn the following command, <GroupDN> should be replaced with the distinguished name of the group account to create; <GroupScope> should be l, g, or u for domain local group, global group, or universal group, respectively; and -secgroup should be set to yes if the group is a security group or no otherwise. Another recommended option to set is -desc to specify a description of the group. > dsadd group "<GroupDN>" -scope <GroupScope> -secgrp yes|no -desc "<GroupDesc>" Here is an example: > dsadd group "cn=mygroup,cn=users,dc=rallencorp,dc=com" -scope g -secgrp yes -desc "A test group" Using VBScript' The following code creates a global security group. ' ------ SCRIPT CONFIGURATION ------ strGroupParentDN = "<GroupParentDN>" ' e.g., ou=Groups,dc=rallencorp,dc=com strGroupName = "<GroupName>" ' e.g., ExecAdminsSales strGroupDescr = "<GroupDesc>" ' e.g., Executive Admins for Sales group ' ------ END CONFIGURATION --------- ' Constants taken from ADS_GROUP_TYPE_ENUM Const ADS_GROUP_TYPE_DOMAIN_LOCAL_GROUP = 1 Const ADS_GROUP_TYPE_GLOBAL_GROUP = 2 Const ADS_GROUP_TYPE_LOCAL_GROUP = 4 Const ADS_GROUP_TYPE_SECURITY_ENABLED = -2147483648 Const ADS_GROUP_TYPE_UNIVERSAL_GROUP = 8 set objOU = GetObject("LDAP://" & strGroupParentDN) set objGroup = objDomain.Create("group","cn=" & strGroupName) objGroup.Put "groupType", ADS_GROUP_TYPE_GLOBAL_GROUP _ Or ADS_GROUP_TYPE_SECURITY_ENABLED objGroup.Put "description", strGroupDescr objGroup.SetInfo DiscussionIn each solution, a group was created in an Active Directory domain with no members. (For more information on how to add and remove members, see Recipe 16.15.) The groupType attribute contains a flag indicating both group scope and type. The available flag values are defined in the ADS_GROUP_TYPE_ENUM enumeration. Recipe 16.16 contains more information on setting the group scope and type. See AlsoMS KB 231273 (Group Type and Scope Usage in Windows), MS KB 232241 (Group Management with ADSI in Windows 2000), MS KB 320054 (HOW TO: Manage Groups in Active Directory in Windows 2000), and MSDN: ADS_GROUP_TYPE_ENUM |