Article ID: 816302
Article Last Modified on 12/3/2007
APPLIES TO
- Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
- Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
- Microsoft Windows Server 2003, Standard Edition (32-bit x86)
- Microsoft Windows Server 2003, 64-Bit Datacenter Edition
- Microsoft Windows Server 2003, Enterprise x64 Edition
- Microsoft Windows Small Business Server 2003 Premium Edition
- Microsoft Windows Small Business Server 2003 Standard Edition
SUMMARY
This step-by-step article describes how to manage groups in Active Directory.
back to the top
About Groups
Groups are Active Directory or local computer objects that can contain users, contacts, computers, and other groups. You can use groups to do the following:
- Manage user and computer access to shared resources such as Active Directory objects and their properties, network shares, files, directories, and printer queues.
- Filter Group Policy settings.
- Create e-mail distribution lists.
The default groups that are put in the Built in container of Active Directory Users and Computers are:
Account Operators
Administrators
Backup Operators
Guests
Incoming Forest Trust Builders (only appears in the forest root domain)
Network Configuration Operators
Performance Monitor Users
Performance Log Users
Pre-Windows 2000 Compatible Access
Print Operators
Remote Desktop Users
Replicator
Server Operators
Users
The predefined groups that are put in the Users container of Active Directory Users and Computers are:
Cert Publishers
DnsAdmins (installed with DNS)
DNSUpdateProxy (installed with DNS)
Domain Admins
Domain Computers
Domain Controllers
Domain Guests
Domain Users
Enterprise Admins (only appears in the forest root domain)
Group Policy Creator Owners
IIS_WPG (installed with Internet Information Services)
Remote access and IAS Servers Schema Admins (only appears in the forest root domain)
Unlike groups, organizational units are used to create collections of objects in a single domain, but do not confer membership. Organizational units are logical containers where you can put users, groups, computers, and other organizational units. It can contain objects only from its parent domain. An organizational unit is the smallest scope to which you can apply a Group Policy or delegate authority. The administration of an organizational unit and the objects it contains can be delegated to an individual administrator or a group. Group Policy objects can be applied to sites, domains or organizational units, but never to groups. A Group Policy object is a collection of settings that affects users or computers. Group membership is used to filter which Group Policy objects affect the users and computers in the site, domain, or organizational unit.
back to the top
Manage Groups
To manage groups in Windows Server 2003, follow these steps.
back to the top
Add a Group
To add a group, follow these steps:
- Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
- In the console tree, expand
DomainName
, whereDomainName
is the name of your domain. - Right-click the folder where you want to add the group, point to New, and then click Group.
- In the Group name box, type a name for the new group.
By default, the name that you type is also entered as the pre-Microsoft Windows 2000 name of the new group.
- Under Group scope, click the option that you want, and then under Group type, click the option that you want.
- Click OK.
Add a Member to a Group
To add a member to a group, follow these steps:
- Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
- In the console tree, expand
DomainName
, whereDomainName
is the name of your domain. - Click the folder that contains the group where you want to add a member.
- In the right pane, right-click the group where you want to add a member, and then click Properties.
- Click the Members tab, and then click Add.
- In the Select User, Contacts, or Computers dialog box, type the names of the users and computers that you want to add, and then click OK.
- Click OK.
Note In addition to users and computers, membership in a particular group can include contacts and other groups.
Convert a Group to Another Group Type
To convert a group to another group type, follow these steps:
- Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
- In the console tree, expand
DomainName
, whereDomainName
is the name of your domain. - Click the folder that contains the group.
- In the right pane, right-click the group, and then click Properties.
- Click the General tab, under Group type, click the group type that you want, and then click OK.
Change Group Scope
To change group scope, follow these steps:
- Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
- In the console tree, expand
DomainName
, whereDomainName
is the name of your domain. - Click the folder that contains the group.
- In the right pane, right-click the group, and then click Properties.
- Click the General tab, under Group scope, click the group scope that you want, and then click OK.
Delete a Group
To delete a group, follow these steps:
- Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
- In the console tree, expand
DomainName
, whereDomainName
is the name of your domain. - Click the folder that contains the group.
- In the right pane, right-click the group that you want to delete, and then click Delete
- Click Yes when you are prompted to confirm the deletion.
Find a Group
To find a group, follow these steps:
- Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
- In the console tree, right-click
DomainName
, whereDomainName
is the name of your domain, and then click Find. - Click the Users, Contacts, and Groups tab.
- In the Name box, type the name of the group that you want to find, and then click Find Now.
Note For more powerful search options, click the Advanced tab, and then specify the search conditions that you want.
Find Groups where a User Is a Member
To find a group where a user is a member, follow these steps:
- Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
- In the console tree,
DomainName
, whereDomainName
is the name of your domain, and then click Users.
Or, click the folder that contains the user account.
- In the right pane, right-click the user account, and then click Properties.
- Click the Member Of tab.
Note The Member of tab for a user displays a list of groups in the domain where the account of the user account is located. Active Directory does not display groups that are located in trusted domains where the user is a member.
Modify Group Properties
To modify the properties of a group, follow these steps:
- Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
- In the console tree, expand
DomainName
, whereDomainName
is the name of your domain. - Click the folder that contains the group.
- In the right pane, right-click the group, and then click Properties.
- Make the changes that you want, and then click OK.
Remove a Member from a Group
To remove a member from a group, follow these steps:
- Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
- In the console tree, expand
DomainName
, whereDomainName
is the name of your domain. - Click the folder that contains the group.
- In the right pane, right-click the group, and then click Properties.
- Click the Members tab.
- Click the members who you want to remove from the group, and then click Remove.
- Click OK.
Rename a Group
To rename a group, follow these steps:
- Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
- In the console tree, expand
DomainName
, whereDomainName
is the name of your domain. - Click the folder that contains the group.
- In the right pane, right-click the group, and then click Rename.
- Type a name for the new group, and then press ENTER.
REFERENCES
For more information about groups and how to use them, see the "Active Directory groups" topic in Microsoft Windows Server 2003 Help. To do so, click Start, and then click Help and Support. In the Search box, type active directory groups, and then press ENTER to view the topics that are returned.
back to the top
Keywords: kbmgmtservices kbbug kbhowto KB816302