Microsoft KB Archive/816302

= HOW TO: Manage Groups in Windows Server 2003 =

Article ID: 816302

Article Last Modified on 12/3/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, 64-Bit Datacenter Edition
 * Microsoft Windows Server 2003, Enterprise x64 Edition
 * Microsoft Windows Small Business Server 2003 Premium Edition
 * Microsoft Windows Small Business Server 2003 Standard Edition

-



IN THIS TASK

 * SUMMARY
 * About Groups
 * Manage Groups
 * Add a Group
 * Add a Member to a Group
 * Convert a Group to Another Group Type
 * Change Group Scope
 * Delete a Group
 * Find a Group
 * Find Groups Where a User Is a Member
 * Modify Group Properties
 * Remove a Member from a Group
 * Rename a Group
 * REFERENCES



SUMMARY
This step-by-step article describes how to manage groups in Active Directory.

back to the top

About Groups
Groups are Active Directory or local computer objects that can contain users, contacts, computers, and other groups. You can use groups to do the following:
 * Manage user and computer access to shared resources such as Active Directory objects and their properties, network shares, files, directories, and printer queues.
 * Filter Group Policy settings.
 * Create e-mail distribution lists.

The default groups that are put in the Built in container of Active Directory Users and Computers are:

Account Operators

Administrators

Backup Operators

Guests

Incoming Forest Trust Builders (only appears in the forest root domain)

Network Configuration Operators

Performance Monitor Users

Performance Log Users

Pre-Windows 2000 Compatible Access

Print Operators

Remote Desktop Users

Replicator

Server Operators

Users

The predefined groups that are put in the Users container of Active Directory Users and Computers are:

Cert Publishers

DnsAdmins (installed with DNS)

DNSUpdateProxy (installed with DNS)

Domain Admins

Domain Computers

Domain Controllers

Domain Guests

Domain Users

Enterprise Admins (only appears in the forest root domain)

Group Policy Creator Owners

IIS_WPG (installed with Internet Information Services)

Remote access and IAS Servers Schema Admins (only appears in the forest root domain)

Unlike groups, organizational units are used to create collections of objects in a single domain, but do not confer membership. Organizational units are logical containers where you can put users, groups, computers, and other organizational units. It can contain objects only from its parent domain. An organizational unit is the smallest scope to which you can apply a Group Policy or delegate authority. The administration of an organizational unit and the objects it contains can be delegated to an individual administrator or a group. Group Policy objects can be applied to sites, domains or organizational units, but never to groups. A Group Policy object is a collection of settings that affects users or computers. Group membership is used to filter which Group Policy objects affect the users and computers in the site, domain, or organizational unit.

back to the top

Manage Groups
To manage groups in Windows Server 2003, follow these steps.

back to the top

Add a Group
To add a group, follow these steps:
 * 1) Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
 * 2) In the console tree, expand , where   is the name of your domain.
 * 3) Right-click the folder where you want to add the group, point to New, and then click Group.
 * 4) In the Group name box, type a name for the new group.

By default, the name that you type is also entered as the pre-Microsoft Windows 2000 name of the new group.
 * 1) Under Group scope, click the option that you want, and then under Group type, click the option that you want.
 * 2) Click OK.

back to the top

Add a Member to a Group
To add a member to a group, follow these steps:
 * 1) Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
 * 2) In the console tree, expand , where   is the name of your domain.
 * 3) Click the folder that contains the group where you want to add a member.
 * 4) In the right pane, right-click the group where you want to add a member, and then click Properties.
 * 5) Click the Members tab, and then click Add.
 * 6) In the Select User, Contacts, or Computers dialog box, type the names of the users and computers that you want to add, and then click OK.
 * 7) Click OK.

Note In addition to users and computers, membership in a particular group can include contacts and other groups.

back to the top

Convert a Group to Another Group Type
To convert a group to another group type, follow these steps:
 * 1) Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
 * 2) In the console tree, expand , where   is the name of your domain.
 * 3) Click the folder that contains the group.
 * 4) In the right pane, right-click the group, and then click Properties.
 * 5) Click the General tab, under Group type, click the group type that you want, and then click OK.

back to the top

Change Group Scope
To change group scope, follow these steps:
 * 1) Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
 * 2) In the console tree, expand , where   is the name of your domain.
 * 3) Click the folder that contains the group.
 * 4) In the right pane, right-click the group, and then click Properties.
 * 5) Click the General tab, under Group scope, click the group scope that you want, and then click OK.

back to the top

Delete a Group
To delete a group, follow these steps:
 * 1) Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
 * 2) In the console tree, expand , where   is the name of your domain.
 * 3) Click the folder that contains the group.
 * 4) In the right pane, right-click the group that you want to delete, and then click Delete
 * 5) Click Yes when you are prompted to confirm the deletion.

back to the top

Find a Group
To find a group, follow these steps:
 * 1) Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
 * 2) In the console tree, right-click , where   is the name of your domain, and then click Find.
 * 3) Click the Users, Contacts, and Groups tab.
 * 4) In the Name box, type the name of the group that you want to find, and then click Find Now.

Note For more powerful search options, click the Advanced tab, and then specify the search conditions that you want.

back to the top

Find Groups where a User Is a Member
To find a group where a user is a member, follow these steps:
 * 1) Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
 * 2) In the console tree, , where   is the name of your domain, and then click Users.

Or, click the folder that contains the user account.
 * 1) In the right pane, right-click the user account, and then click Properties.
 * 2) Click the Member Of tab.

Note The Member of tab for a user displays a list of groups in the domain where the account of the user account is located. Active Directory does not display groups that are located in trusted domains where the user is a member.

back to the top

Modify Group Properties
To modify the properties of a group, follow these steps:
 * 1) Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
 * 2) In the console tree, expand , where   is the name of your domain.
 * 3) Click the folder that contains the group.
 * 4) In the right pane, right-click the group, and then click Properties.
 * 5) Make the changes that you want, and then click OK.

back to the top

Remove a Member from a Group
To remove a member from a group, follow these steps:
 * 1) Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
 * 2) In the console tree, expand , where   is the name of your domain.
 * 3) Click the folder that contains the group.
 * 4) In the right pane, right-click the group, and then click Properties.
 * 5) Click the Members tab.
 * 6) Click the members who you want to remove from the group, and then click Remove.
 * 7) Click OK.

back to the top

Rename a Group
To rename a group, follow these steps:
 * 1) Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
 * 2) In the console tree, expand , where   is the name of your domain.
 * 3) Click the folder that contains the group.
 * 4) In the right pane, right-click the group, and then click Rename.
 * 5) Type a name for the new group, and then press ENTER.

back to the top

