Managing Group Accounts

The Active Directory Users And Computers MMC is the primary tool you will use to administer security principals—users, groups, and computers—in the domain. In the creation of groups, you will configure the scope, type, and membership for each. You will also use the Active Directory Users And Computers MMC to modify membership of existing groups.

Creating a Security Group

The tool that you will use most often in the creation of groups is the Active Directory Users And Computers MMC, which can be found in the Administrative Tools folder. From within the Active Directory Users And Computers MMC, right-click the details pane of the container within which you want to create the group, and choose New, Group. You then must select the type and scope of group that you want to create.

The primary type of group that you will likely create is a security group because this is the type of group used to set permissions in an ACL. In a mixed or interim domain functional level domain, you can only set a security group for the domain local and global scopes. As below Figure illustrates, you cannot create a security group that has universal scope in mixed or interim domain functional level domains.

Domain local, global, and universal groups can, however, be created as a distribution type in a mixed or interim domain functional level domain. In a mixed or interim domain functional level domain, security groups can be created in any scope.











Modifying Group Membership

Adding or deleting members from a group is also accomplished through Active Directory Users And Computers. Right-click any group, and choose Properties. Below Figure illustrates the Properties dialog box of a global security group called Sales.

Below Table explains the member configuration tabs of the Properties dialog box.

Membership Configuration

Members      : Adding, removing, or listing the security principals that this container holds as members

Member Of  :Adding, removing, or listing the containers that hold this container as a member










Finding the Domain Groups to Which a User Belongs

Active Directory allows for flexible and creative group nesting, where

* Global groups can nest into other global groups, universal groups, or domain local groups.

* Universal groups can be members of other universal groups or domain local groups.

* Domain local groups can belong to other domain local groups.

This flexibility brings with it the potential for complexity, and without the right tools, it would be difficult to know exactly which groups a user belongs to, whether directly or indirectly. Fortunately, Windows Server 2003 adds the DSGET command, which solves the problem. From a command prompt, type:

dsget user UserDN -memberof [-expand]

The -memberof switch returns the value of the MemberOf attribute, showing the groups to which the user directly belongs. By adding the -expand switch, those groups are searched recursively, producing an exhaustive list of all groups to which the user belongs in the domain.