Recipe16.12.Creating a Group Account


Recipe 16.12. Creating a Group Account

Problem

You want to create a group account.

Solution

Using a graphical user interface

  1. From the Administrative Tools, open the Active Directory Users and Computers snap-in.

  2. If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select Connect to Domain, enter the domain name, and click OK.

  3. In the left pane, browse to the parent container of the new group, right-click on it, and select New

    Enter the name of the group and select the group scope (global, domain local, or universal) and group type (security or distribution).

  4. Click OK.

Using a command-line interface

In the following command, <GroupDN> should be replaced with the distinguished name of the group account to create; <GroupScope> should be l, g, or u for domain local group, global group, or universal group, respectively; and -secgroup should be set to yes if the group is a security group or no otherwise. Another recommended option to set is -desc to specify a description of the group.

> dsadd group "<GroupDN>" -scope <GroupScope> -secgrp yes|no -desc "<GroupDesc>"

Here is an example:

> dsadd group "cn=mygroup,cn=users,dc=rallencorp,dc=com" -scope g -secgrp yes -desc "A test group"

Using VBScript
' The following code creates a global security group. ' ------ SCRIPT CONFIGURATION ------ strGroupParentDN = "<GroupParentDN>"  ' e.g., ou=Groups,dc=rallencorp,dc=com strGroupName     = "<GroupName>"      ' e.g., ExecAdminsSales strGroupDescr    = "<GroupDesc>"      ' e.g., Executive Admins for Sales group ' ------ END CONFIGURATION --------- ' Constants taken from ADS_GROUP_TYPE_ENUM Const ADS_GROUP_TYPE_DOMAIN_LOCAL_GROUP = 1 Const ADS_GROUP_TYPE_GLOBAL_GROUP       = 2 Const ADS_GROUP_TYPE_LOCAL_GROUP        = 4 Const ADS_GROUP_TYPE_SECURITY_ENABLED   = -2147483648 Const ADS_GROUP_TYPE_UNIVERSAL_GROUP    = 8     set objOU = GetObject("LDAP://" & strGroupParentDN) set objGroup = objDomain.Create("group","cn=" & strGroupName) objGroup.Put "groupType", ADS_GROUP_TYPE_GLOBAL_GROUP _                          Or ADS_GROUP_TYPE_SECURITY_ENABLED objGroup.Put "description", strGroupDescr objGroup.SetInfo

Discussion

In each solution, a group was created in an Active Directory domain with no members. (For more information on how to add and remove members, see Recipe 16.15.) The groupType attribute contains a flag indicating both group scope and type. The available flag values are defined in the ADS_GROUP_TYPE_ENUM enumeration. Recipe 16.16 contains more information on setting the group scope and type.

See Also

MS KB 231273 (Group Type and Scope Usage in Windows), MS KB 232241 (Group Management with ADSI in Windows 2000), MS KB 320054 (HOW TO: Manage Groups in Active Directory in Windows 2000), and MSDN: ADS_GROUP_TYPE_ENUM



Windows Server Cookbook
Windows Server Cookbook for Windows Server 2003 and Windows 2000
ISBN: 0596006330
EAN: 2147483647
Year: 2006
Pages: 380
Authors: Robbie Allen

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net