Create a new group

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To create a new group

  • Using the Windows interface

  • Using a command line

Using the Windows interface

  1. Open Active Directory Users and Computers.

  2. In the console tree, right-click the folder in which you want to add a new group.

    Where?

    • Active Directory Users and Computers/domain node/folder

  3. Point to New, and then click Group.

  4. Type the name of the new group.

    By default, the name you type is also entered as the pre–Windows 2000 name of the new group.

  5. In Group scope, click one of the options.

  6. In Group type, click one of the options.

Notes

  • To perform this procedure, you must be a member of the Account Operators group, Domain Admins group, or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, see Default local groups, Default groups, and Using Run as.

  • To open Active Directory Users and Computers, click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.

  • To add a group, you can also click the folder in which you want to add the group, and then click

    Create a new group in the current container on the toolbar.

  • If the domain in which you are creating the group is set to the domain functional level of Windows 2000 mixed, you can select only the Security group type with Domain local or Global scopes. For more information, see Related Topics.

  • In Active Directory Users and Computers, by default, the name that you type is also entered as the pre–Windows 2000 name of the new group.

  • A group name cannot be identical to any other group name in the domain.

  • A group name (CN) can contain up to 64 uppercase or lowercase characters.

  • A group name (CN) cannot consist solely of spaces.

  • A group name (pre–Windows 2000) (samAccountName object attribute) can contain up to 256 uppercase of lowercase characters except for the following:

    " / \ [ ] : ; | = , + * ? <>

  • A group name (pre–Windows 2000) (samAccountName object attribute) cannot consist solely of periods or spaces.

Using a command line

  1. Open Command Prompt.

  2. Type:

    dsadd group GroupDN –samid SAMName –secgrp yes | no –scope l | g | u

Value Description

GroupDN

Specifies the distinguished name of the group object that you want to add.

SAMName

Specifies to use the Security Accounts Manager (SAM) name as the unique SAM account name for this group (for example, operators).

yes | no

Specifies whether the group you want to add is a security group (yes) or a distribution group (no).

l | g | u

Specifies whether the scope of the group you want to add is domain local (l), global (g), or universal (u).

Notes

  • To perform this procedure, you must be a member of the Account Operators group, Domain Admins group, or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, see Default local groups, Default groups, and Using Run as.

  • To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt.

  • If the domain in which you are creating the group is set to the domain functional level of Windows 2000 mixed, you can select only the Security group type with Domain local or Global scopes. For more information, see Related Topics.

  • To view the complete syntax for this command, at a command prompt, type:

    dsadd group /?

  • A group name cannot be identical to any other group name in the domain.

  • A group name (CN) can contain up to 64 uppercase or lowercase characters.

  • A group name (CN) cannot consist solely of spaces.

  • A group name (pre–Windows 2000) (samAccountName object attribute) can contain up to 256 uppercase of lowercase characters except for the following:

    " / \ [ ] : ; | = , + * ? <>

  • A group name (pre–Windows 2000) (samAccountName object attribute) cannot consist solely of periods or spaces.

Note

When you use net group to create a new group account (net group <group_name> /add /domain, for example, net group Group1 /add /domain), if you specify a group name that is longer than 64 characters, the directory service sets the group’s CN to the automatically generated objectSID of the newly created group account and the samAccountName object attribute assumes the name that you specify in the net group command. For more information about net group name restrictions, see NetGroupAdd (https://go.microsoft.com/fwlink/?LinkID=159751).

Information about functional differences

  • Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.

See Also

Concepts

Working with MMC console files
Group scope
Group types
Object names
Command-line reference A-Z
Dsadd