Microsoft KB Archive/320054

= HOW TO: Manage Groups in Active Directory in Windows 2000 =

PSS ID Number: 320054

Article Last Modified on 9/19/2003

-

The information in this article applies to:


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional

-



This article was previously published under Q320054



IN THIS TASK

 * SUMMARY
 * About Groups
 * Manage Groups
 * Add a Group
 * Add a Member to a Group
 * Convert a Group to Another Group Type
 * Change Group Scope
 * Delete a Group
 * Find a Group
 * Find Groups in Which a User Is a Member
 * Modify Group Properties
 * Remove a Member from a Group
 * Rename a Group



SUMMARY
This article explains how to manage groups in Active Directory.

back to the top

About Groups
Groups are Active Directory or local computer objects that can contain users, contacts, computers, and other groups.

You can use groups to:
 * Manage user and computer access to shared resources such as Active Directory objects and their properties, network shares, files, directories, and printer queues.
 * Filter Group Policy settings.
 * Create e-mail distribution lists.

The default groups that are put in the Builtin folder for Active Directory Users and Computers are:


 * Account Operators
 * Administrators
 * Backup Operators
 * Guests
 * Print Operators
 * Replicator
 * Server Operators
 * Users

The predefined groups that are put in the Users folder for Active Directory Users and Computers are:
 * Group name
 * Cert Publishers
 * Domain Admins
 * Domain Computers
 * Domain Controllers
 * Domain Guests
 * Domain Users
 * Enterprise Admins
 * Group Policy Admins
 * Schema Admins

Unlike groups, organizational units are used to create collections of objects in a single domain, but do not confer membership. Organizational units are logical containers into which you can put users, groups, computers, and other organizational units. It can contain objects only from its parent domain. An organizational unit is the smallest scope to which you can apply a Group Policy or delegate authority. The administration of an organizational unit and the objects it contains can be delegated to an individual administrator or a group.

Group Policy objects can be applied to sites, domains or organizational units, but never to groups. A Group Policy object is a collection of settings that affects users or computers. Group membership is used to filter which Group Policy objects will affect the users and computers in the site, domain, or organizational unit.

For more information about Group Policy, see the &quot;Understanding Group Policy&quot; topic in Windows 2000 Help.

For more information about groups and how to use them, see the &quot;Understanding Groups&quot; topic in Windows 2000 Help.

Manage Groups
back to the top

Add a Group

 * 1) Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
 * 2) In the console tree, double-click the domain node.
 * 3) Right-click the folder in which you want to add the group, point to New, and then click Group.
 * 4) Type the name of the new group.

By default, the name that you type is also entered as the pre-Windows 2000 name of the new group.
 * 1) Click the Group scope that you want.
 * 2) Click the Group type that you want.

NOTE: If the domain in which you are creating the group is in mixed-mode, you can only select security groups with Domain local or Global scopes.

back to the top

Add a member to a group

 * 1) Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
 * 2) In the console tree, double-click the domain node.
 * 3) Click the folder that contains the group to which you want to add a member.
 * 4) In the Details pane, right-click the group, and then click Properties.
 * 5) Click the Members tab, and then click Add.
 * 6) Click Look in to display a list of domains from which users and computers can be added to the group, and then click the domain containing the users and computers that you want to add.
 * 7) Click the users and computers to be added, and then click Add.

NOTE: Membership in a particular group can include users and computers. Additionally, membership in a particular group can include contacts and other groups.

back to the top

Convert a Group to Another Group Type

 * 1) Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
 * 2) In the console tree, double-click the domain node.
 * 3) Click the folder that contains the group.
 * 4) In the Details pane, right-click the group, and then click Properties.
 * 5) Click the General tab, and then under Group type, click the group type.

back to the top

Change Group Scope

 * 1) Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
 * 2) In the console tree, double-click the domain node.
 * 3) Click the folder that contains the group.
 * 4) In the Details pane, right-click the group, and then click Properties.
 * 5) Click the General tab, and then click the group scope under Group scope.

back to the top

Delete a Group

 * 1) Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
 * 2) In the console tree, double-click the domain node.
 * 3) Click the folder that contains the group.
 * 4) In the Details pane, right-click the group, and then click Delete.

NOTE: By default, local groups provided automatically by Windows 2000, such as Administrators and Account Operators, are located in the Builtin folder. By default, common global groups, such as Domain Admins and Domain Users, are located in the Users folder. New groups can be added or moved to any folder. Microsoft recommends that you locate new groups in an organizational unit folder.

back to the top

Find a Group

 * 1) Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
 * 2) In the console tree, right-click the domain node, and then click Find.
 * 3) Click the Users, Contacts, and Groups tab. In the Name box, type the name of the group that you want to find.
 * 4) Click Find Now.

NOTES:
 * By default, local groups that are provided automatically by Windows 2000, such as Administrators and Account Operators, are located in the Builtin folder. By default, common global groups, such as Domain Admins and Domain Users, are located in the Users folder. New groups can be added or moved to any folder; it is recommended that they be located in an organizational unit folder.
 * Use the Advanced tab for more powerful search options.

back to the top

Find Groups in Which a User Is a Member

 * 1) Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
 * 2) In the console tree, click Users under the domain node, or click the folder that contains the user account.
 * 3) In the details pane, right-click a user account, and then click Properties.
 * 4) Click the Member Of tab.

NOTE: By default, local groups that are provided automatically by Windows 2000, such as Administrators and Account Operators, are located in the Builtin folder. By default, common global groups, such as Domain Admins and Domain Users, are located in the Users folder. New groups can be added or moved to any folder. Microsoft recommends that you locate new groups in an organizational unit folder.

back to the top

Modify Group Properties

 * 1) Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
 * 2) In the console tree, double-click the domain node.
 * 3) Click the folder that contains the group.
 * 4) In the Details pane, right-click the group, and then click Properties.

back to the top

Remove a Member from a Group

 * 1) Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
 * 2) In the console tree, double-click the domain node.
 * 3) Click the folder that contains the group.
 * 4) In the Details pane, right-click the group, and then click Properties.
 * 5) Click the Members tab.
 * 6) Click the members whom you want to delete, and then click Remove.

NOTE: Local groups provided automatically by Windows 2000, such as Administrators and Account Operators, are located in the Builtin folder by default. Common global groups, such as Domain Admins and Domain Users, are located in the Users folder by default. New groups can be added or moved to any folder; it is recommended that they be located in an organizational unit folder.

back to the top

Rename a Group

 * 1) Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
 * 2) In the console tree, double-click the domain node.
 * 3) Click the folder in which the group is located.
 * 4) In the Details pane, right-click the group, and then click Rename.
 * 5) Type the new group name.

NOTE: Local groups provided automatically by Windows 2000, such as Administrators and Account Operators, are located in the Builtin folder by default. Common global groups, such as Domain Admins and Domain Users, are located in the Users folder by default. New groups can be added or moved to any folder. Microsoft recommends that you locate new groups in an organizational unit folder.

back to the top

Keywords: kbHOWTOmaster KB320054

Technology: kbwin2000AdvServ kbwin2000AdvServSearch kbwin2000Pro kbwin2000ProSearch kbwin2000Search kbwin2000Serv kbwin2000ServSearch kbWinAdvServSearch

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© 2004 Microsoft Corporation. All rights reserved.