Changing group memberships

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Changing group memberships

A group is a collection of users that you can use to simplify the administration of user permissions and rights. In addition, you can use a group to delegate administrative tasks, filter Group Policy settings, and create e-mail distribution lists. Users belonging to a particular group receive all the permissions and rights assigned to that group. By changing group memberships for a user, you can quickly change the resources to which that user has access, as well as the tasks delegated to the user and the Group Policy settings that apply to the user. You can change the membership of Active Directory groups to change users’ permissions and rights within a domain or forest. You can also change the membership of local groups to change users’ permissions and rights on a specific computer.

Some of the most common tasks are adding or removing members from Active Directory groups and adding or removing members from groups on a local computer. You can also use the command line to change group memberships, either in a Managing Active Directory from the command line or on a Managing local groups from the command line. For more information about other tasks for managing group memberships in a domain, see Manage Groups. For more information about other tasks for managing group memberships on a local computer, see Manage Local Groups.

To add or remove a member from an Active Directory group

  1. Open Active Directory Users and Computers.

  2. In the console tree, double-click the domain node.

  3. Click the folder that contains the group to which you want to add or remove a member.

  4. In the details pane, right-click the group, and then click Properties.

  5. Click the Members tab, and then do one of the following:

    • To add a member to a group, click Add. In Enter the object names to select, type the name of the user, group, or computer that you want to add to the group, and then click OK.

    • To remove a member from a group, click the member you want to remove, and then click Remove.

Notes

  • To perform this procedure, you must be a member of the Account Operators group, Domain Admins group, or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, see Default local groups, Default groups, and Using Run as.

  • To open Active Directory Users and Computers, click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.

  • In addition to users and computers, groups can include contacts and other groups.

  • To add members to a group, you can click the members you want to add, click the Add to a group toolbar button, and then type the name of the group to which they will be added. You can also drag a member object to a group, or right-click the object, and then click Add to a group from the shortcut menu.

  • When you administer a domain, security principals in the parent domain or other trusted domains are not visible on the Member Of tab of a domain users properties. The only domain accounts that you can add or view are the present domain groups. Only domain groups in the present domain are shown, even if the member belongs to other trusted domain groups.

To add or remove a member from a group on a local computer

  1. Open Computer Management.

  2. In the console tree, click Groups.

    Where?

    • Computer Management/System Tools/Local Users and Groups/Groups
  3. Right-click the group to which you want to add or remove a member and click Properties.

  4. Do one of the following:

    • To add a member to a group, click Add. In Enter the object names to select, type the name of the user, group, or computer that you want to add to the group, and then click OK.

    • To remove a member from a group, click the member you want to remove, and then click Remove.

Notes

  • To perform this procedure, you must be a member of the Account Operators group, Domain Admins group, or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, see Default local groups, Default groups, and Using Run as.

  • To open Computer Management, click Start, click Control Panel, double-click Administrative Tools, and then double-click Computer Management.

  • A user who belongs to a group has all the rights and permissions granted to that group. If a user is a member of more than one group, then the user has all the rights and permissions granted to every group he or she belongs to. For more information, see Default local groups.

  • You should not add a new user to the Administrators group unless the user will perform only administrative tasks. For more information, see Why you should not run your computer as an administrator.

  • If the computer participates in a domain, you can add user accounts and global groups from that domain and from trusted domains to a local group.

Information about functional differences

  • Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.