Edit

Share via

Creating Groups in a Domain

  • Article

A group object is created in Active Directory Domain Services in the domain container where the new group will be contained. Groups can be created at the root of the domain, within an organizational unit, or within a container. To create a group object, use the IADsContainer::Create or the IDirectoryObject::CreateDSObject method.

The following attributes are required to make the group object a legal group that the Active Directory server and the Windows security system will recognize:

cn

Specifies the name of the group object in the directory. This will be the object's relative distinguished name within the container where the group is created.

groupType

Contains an integer that specifies the group type and scope. The ADS_GROUP_TYPE_ENUM enumeration defines the possible values for the groupType attribute.

The following list defines common group types and values for this attribute.

Domain Local Distribution

ADS_GROUP_TYPE_DOMAIN_LOCAL_GROUP

Domain Local Security

ADS_GROUP_TYPE_DOMAIN_LOCAL_GROUP | ADS_GROUP_TYPE_SECURITY_ENABLED

Global Distribution

ADS_GROUP_TYPE_GLOBAL_GROUP

Global Security

ADS_GROUP_TYPE_GLOBAL_GROUP | ADS_GROUP_TYPE_SECURITY_ENABLED

Universal Distribution

ADS_GROUP_TYPE_UNIVERSAL_GROUP

Universal Security

ADS_GROUP_TYPE_UNIVERSAL_GROUP | ADS_GROUP_TYPE_SECURITY_ENABLED

If the group is intended for setting access control on directory objects, the group should be a Global Security or Universal Security group.

Be aware that Universal Security groups can only be created on Windows 2000 domains running in native mode. For more information about detecting mixed and native mode, see Detecting the Operation Mode of a Domain.

sAMAccountName

Contains a string that is the name used to support clients and servers from a previous version. The sAMAccountName should be less than 20 characters to support clients of a previous version of Windows.

The sAMAccountName must be unique among all security principal objects within the domain. A query should be performed against the domain to verify that the sAMAccountName is unique within the domain.

The members of the group can be added at creation time using the IDirectoryObject::CreateDSObject method. Optionally, members can be added to the group after creation using the IADsGroup::Add method. For more information about adding members to a group, see Adding Members to Groups in a Domain.