HOW TO: Manage Groups in Windows Server 2003 (816302)


The information in this article applies to:

  • Microsoft Windows Server 2003, Datacenter Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, 64-Bit Datacenter Edition
  • Microsoft Windows Server 2003, 64-Bit Enterprise Edition
  • Microsoft Windows Small Business Server 2003, Premium Edition
  • Microsoft Windows Small Business Server 2003, Standard Edition

IN THIS TASK

SUMMARY

This step-by-step article describes how to manage groups in Active Directory.

back to the top

About Groups

Groups are Active Directory or local computer objects that can contain users, contacts, computers, and other groups. You can use groups to do the following:
  • Manage user and computer access to shared resources such as Active Directory objects and their properties, network shares, files, directories, and printer queues.
  • Filter Group Policy settings.
  • Create e-mail distribution lists.
The default groups that are put in the Built in container of Active Directory Users and Computers are:

Account Operators
Administrators
Backup Operators
Guests
Incoming Forest Trust Builders (only appears in the forest root domain)
Network Configuration Operators
Performance Monitor Users
Performance Log Users
Pre-Windows 2000 Compatible Access
Print Operators
Remote Desktop Users
Replicator
Server Operators
Users

The predefined groups that are put in the Users container of Active Directory Users and Computers are:

Cert Publishers
DnsAdmins (installed with DNS)
DNSUpdateProxy (installed with DNS)
Domain Admins
Domain Computers
Domain Controllers
Domain Guests
Domain Users
Enterprise Admins (only appears in the forest root domain)
Group Policy Creator Owners
IIS_WPG (installed with Internet Information Services)
Remote access and IAS Servers Schema Admins (only appears in the forest root domain)

Unlike groups, organizational units are used to create collections of objects in a single domain, but do not confer membership. Organizational units are logical containers where you can put users, groups, computers, and other organizational units. It can contain objects only from its parent domain. An organizational unit is the smallest scope to which you can apply a Group Policy or delegate authority. The administration of an organizational unit and the objects it contains can be delegated to an individual administrator or a group. Group Policy objects can be applied to sites, domains or organizational units, but never to groups. A Group Policy object is a collection of settings that affects users or computers. Group membership is used to filter which Group Policy objects affect the users and computers in the site, domain, or organizational unit.

back to the top

Manage Groups

To manage groups in Windows Server 2003, follow these steps.

back to the top

Add a Group

To add a group, follow these steps:
  1. Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the console tree, expand DomainName , where DomainName is the name of your domain.
  3. Right-click the folder where you want to add the group, point to New, and then click Group.
  4. In the Group name box, type a name for the new group.

    By default, the name that you type is also entered as the pre-Microsoft Windows 2000 name of the new group.
  5. Under Group scope, click the option that you want, and then under Group type, click the option that you want.
  6. Click OK.
back to the top

Add a Member to a Group

To add a member to a group, follow these steps:
  1. Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the console tree, expand DomainName, where DomainName is the name of your domain.
  3. Click the folder that contains the group where you want to add a member.
  4. In the right pane, right-click the group where you want to add a member, and then click Properties.
  5. Click the Members tab, and then click Add.
  6. In the Select User, Contacts, or Computers dialog box, type the names of the users and computers that you want to add, and then click OK.
  7. Click OK.

    Note In addition to users and computers, membership in a particular group can include contacts and other groups.
back to the top

Convert a Group to Another Group Type

To convert a group to another group type, follow these steps:
  1. Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the console tree, expand DomainName, where DomainName is the name of your domain.
  3. Click the folder that contains the group.
  4. In the right pane, right-click the group, and then click Properties.
  5. Click the General tab, under Group type, click the group type that you want, and then click OK.
back to the top

Change Group Scope

To change group scope, follow these steps:
  1. Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the console tree, expand DomainName, where DomainName is the name of your domain.
  3. Click the folder that contains the group.
  4. In the right pane, right-click the group, and then click Properties.
  5. Click the General tab, under Group scope, click the group scope that you want, and then click OK.
back to the top

Delete a Group

To delete a group, follow these steps:
  1. Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the console tree, expand DomainName, where DomainName is the name of your domain.
  3. Click the folder that contains the group.
  4. In the right pane, right-click the group that you want to delete, and then click Delete
  5. Click Yes when you are prompted to confirm the deletion.
back to the top

Find a Group

To find a group, follow these steps:
  1. Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the console tree, right-click DomainName, where DomainName is the name of your domain, and then click Find.
  3. Click the Users, Contacts, and Groups tab.
  4. In the Name box, type the name of the group that you want to find, and then click Find Now.

    Note For more powerful search options, click the Advanced tab, and then specify the search conditions that you want.
back to the top

Find Groups where a User Is a Member

To find a group where a user is a member, follow these steps:
  1. Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the console tree, DomainName, where DomainName is the name of your domain, and then click Users.

    Or, click the folder that contains the user account.
  3. In the right pane, right-click the user account, and then click Properties.
  4. Click the Member Of tab.

    Note The Member of tab for a user displays a list of groups in the domain where the account of the user account is located. Active Directory does not display groups that are located in trusted domains where the user is a member.
back to the top

Modify Group Properties

To modify the properties of a group, follow these steps:
  1. Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the console tree, expand DomainName, where DomainName is the name of your domain.
  3. Click the folder that contains the group.
  4. In the right pane, right-click the group, and then click Properties.
  5. Make the changes that you want, and then click OK.
back to the top

Remove a Member from a Group

To remove a member from a group, follow these steps:
  1. Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the console tree, expand DomainName, where DomainName is the name of your domain.
  3. Click the folder that contains the group.
  4. In the right pane, right-click the group, and then click Properties.
  5. Click the Members tab.
  6. Click the members who you want to remove from the group, and then click Remove.
  7. Click OK.
back to the top

Rename a Group

To rename a group, follow these steps:
  1. Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the console tree, expand DomainName, where DomainName is the name of your domain.
  3. Click the folder that contains the group.
  4. In the right pane, right-click the group, and then click Rename.
  5. Type a name for the new group, and then press ENTER.
back to the top

REFERENCES

For more information about groups and how to use them, see the "Active Directory groups" topic in Microsoft Windows Server 2003 Help. To do so, click Start, and then click Help and Support. In the Search box, type active directory groups, and then press ENTER to view the topics that are returned.

back to the top
Modification Type:MajorLast Reviewed:1/13/2006
Keywords:kbMgmtServices kbBug kbhowto KB816302
©2004 Microsoft Corporation. All rights reserved.