Defining a Security Group Creation Policy

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

You need to define which members of your organization are allowed to create new security groups, and you need to identify the process that they use to create new security groups.

Delegating Security Group Creation Rights

Windows Server 2003 does not place any constraints on the ability to delegate permission to create security groups. You can edit the ACL of any security group and give any user in the forest permission to update the group’s membership. This enables you to simplify the administration of groups in your organization.

By default, members of the Domain Admins, Enterprise Admins, and Account Operators groups have the Create Group Objects and Delete Group Objects permission. If it is appropriate for Account Operators in your organization to be responsible for managing the creation of security groups, there is no need to delegate this ability to others.

If there is a need for individuals other than members of the Administrators, Domain Admins, Enterprise Admins, or Account Operators groups to create security groups, you can delegate the ability to create and to delete new security groups within an organizational unit (OU) to individuals or groups in your organization. You might need to create a separate security group, such as Group Admins, and add the appropriate user accounts to this group. If the Group Admins have authority only within a single domain, this is a domain local group.

For more information about delegating the right to create security groups by using the Active Directory Delegation Wizard, see "Delegating administration" in Help and Support Center for Windows Server 2003.

Defining a Security Group Request Process

You need to define a process by which requests for the creation of security groups are submitted and approved. Requiring users to submit requests for the creation of new security groups and approving those requests before the groups are created limits the unnecessary proliferation of security groups in your organization.

A request for a new group should include the following information about the group:

  • Purpose and scope

  • Proposed membership

  • Relationship to other groups

  • Expected lifetime

  • Group owner

Be sure that your IT staff keeps these requests on file or in a database as a source of information for various security maintenance tasks. This information is especially useful in identifying potentially obsolete groups. For more information about identifying obsolete security groups, see "Defining a Security Group Retirement Policy" later in this chapter.