Handling Global Group Membership

You use Active Directory Users And Computers to configure group membership. When working with groups keep the following points in mind:

All new domain users are members of the group Domain Users, and their primary group is specified as Domain Users.
All new domain workstations and member servers are members of Domain Computers, and their primary group is Domain Computers.
All new domain controllers are members of Domain Controllers and their primary group is Domain Controllers.

Active Directory Users And Computers gives you several ways to manage group membership. You can

Manage individual membership
Manage multiple memberships
Set primary group membership for individual users and computers

Managing Individual Membership

You can add or remove group membership for any type of account by completing the following steps:

Double-click the user , computer, or group entry in Active Directory Users And Computers. This opens the account's Properties dialog box.
Select the Member Of tab.
To make the account a member of a group, click Add. This opens the Select Groups dialog box, which is the same as the Select Users Or Groups dialog box discussed in previous examples. You can now choose groups that the currently selected account should be a member of.
To remove the account from a group, select a group and then click Remove.
Click OK.

If you're working exclusively with user accounts, you can add users to groups by following these steps:

Select the user accounts that you want to work with in Active Directory Users And Computers.

Tip

To select multiple users individually, hold down the Ctrl key and then click the left mouse button on each user account that you want to select. To select a sequence of accounts, hold down the Shift key, select the first user account, and then click the last user account.
Right-click one of the selections, and then select Add To Group. This opens the Select Groups dialog box. You can now choose groups that the currently selected accounts should be members of.
Click OK.

Managing Multiple Memberships in a Group

Another way to manage group membership is to use a group's Properties dialog box to add or remove multiple accounts. To do this, follow these steps:

Double-click the group entry in Active Directory Users And Computers. This opens the group's Properties dialog box.
Select the Members tab.
To add accounts to the group, click Add. This opens the Select Users, Computers, Or Groups dialog box. You can now choose users, computers, and groups that should be members of this currently selected group.
To remove members from a group, select an account and then click Remove.
Click OK.

Setting the Primary Group for Users and Computers

Users who access Windows Server 2003 through services for Macintosh use primary groups. When a Macintosh user creates files or directories on a system running Windows Server 2003, the primary group is assigned to these files or directories.

All user and computer accounts must have a primary group regardless of whether the accounts access Windows Server 2003 systems through Macintosh. This group must be a group with global or universal scope, such as the global group Domain Users or the global group Domain Computers.

To set the primary group, complete the following steps:

Double-click the user or computer entry in Active Directory Users And Computers. This opens the account's Properties dialog box.
Select the Member Of tab.
Select a group with global or universal scope in the Member Of list box.
Click Set Primary Group.

All users must be a member of at least one primary group. You can't revoke membership in a primary group without first assigning the user to another primary group. To do this, complete the following steps:

Select a different group with global or universal scope in the Member Of list box, and then click Set Primary Group.
In the Member Of list box, click the former primary group and then click Remove. The group membership is now revoked .