The main purpose of a group is to simplify administration
by allowing permissions to be assigned to a collection of
users instead of individual users. A group can contain user
accounts, computer accounts, or contacts, as its members.
In addition to the previous, a group can also contain other
groups, which is referred to as group nesting. Which items
a group can contain and where they can be used for, depends
on the group type, the group scope and the domain functional
Windows 2003 Active Directory supports the following two group
• Security Groups – Used for assigning
permissions for directory objects and resources such as shared
folders and printers. Security groups are also used for assigning
right to users, for example by using Group Policies.
• Distribution Groups – Used for creating
e-mail distribution lists (ie. for MS Exchange server). It
allows a user to send e-mail to all the members by using a
You can change the group type from security
to distribution, or vice versa, if the domain functional level
is set to Windows 2000 native or Windows 2003. Group types
cannot be changed if the domain is running in Windows 2000
A group scope defines from which domain from which members
can be added and in which domain, tree, of forest, rights
and permissions can be assigned to a group. When you create
a new group, it will be a security group with global scope
by default. You can modify the group scope if the domain functional
level is set to Windows 2000 native or Windows Server 2003.
Changing a group scope in Windows 2000 mixed mode domains
is not possible.
Windows 2003 Active Directory supports the following three
• Domain Local – Used for assigning permissions
within the local domain only. A domain local group can contain
user accounts and global and universal groups with from any
domain, and other domain local groups from the same domain.
A domain local group can be changed to a universal group only
if it does not have other domain local groups as its members.
• Global – Used for assigning permissions
throughout the entire forest. A global group can only contain
user accounts and global groups from the same domain the global
group is in. If the domain is running in Windows 2000 Mixed
mode, you can add only user accounts to a global group. A
global group can be changed to a universal group if it is
not a member of another global group.
• Universal –
Used for assigning permissions throughout the entire forest.
A universal group can contain user accounts, computer accounts,
and global and universal groups from any domain in the forest.
Security type universal groups can be created only when the
domain functional level is set to Windows 2000 native or Windows
Server 2003. Opposite to domain local and global groups, universal
groups are replicated to every global catalog in the entire
forest. A universal group can be changed to a domain local
group at any time. A universal group can be changed to a global
group only if it does not have other universal groups as its
The preferred method to use these group
scopes is explained in the following example:
When you assign permissions to all
the users in the Sales department, for a shared resource,
i.e. Printer1, you should create a domain local group for
the sales department, i.e. SalesPrinters, and assign it permissions
for Printer1. Then you should group the users into a global
group, i.e. Sales, and add the global group to the domain
local group. A universal group is particularly useful when
the group needs to contain members from multiple domains.
Universal groups should be members of domain local groups,
and have global groups as their members.
Local vs. Active Directory Groups
The group types and scopes outlined above are pertinent to
Windows 2003 servers that are members or domain controllers
in an Active Directory domain. They are stored in the Active
Directory on domain controllers. However, groups also exist
on a local machine level, even if ADS is not in use. You can
create local groups on the local computer using the
Local Users and Group MMC snap-in and the can be used for
assigning permissions on that computer only.
Windows 2003 creates default groups in the Builtin
container and the Users container. The following
lists show the groups created in a Windows 2003 domain by
default (this may vary per configuration and on the installed
Windows components). The first list shows the groups in the
Builtin container. These groups are all domain local
groups and cannot be moved to another container or OU.
• Account Operators - Members of this group
can administer domain user and group accounts, log on locally,
and can shutdown domain controllers. Account Operators cannot
modify the Administrators or Domain Admins groups and accounts.
• Administrators - Members of this group have
full access to the domain or computer. By default, this group
contains the Domain Admins and Enterprise Admins groups and
the Administrator user account.
• Backup Operators - Members of this group
can back up or restore files without being limited by file
permissions. Back up Operators can also log on locally and
shutdown domain systems.
• Guests – Members
of this group have the same permissions and right as the Users
group by default, The Guest user account is disabled by default.
This Guests group contains the Domain Guests group as a member.
• Incoming Forest Trust Builders -Members of
this group can create incoming, one-way trust relationships
to this forest. This group appears only in the root domain
of the forest.
• Network Configuration Operators - Members
of this group can change the TCP/IP settings on domain controllers
in the domain.
• Performance Monitor Users - Members of this
group can monitor performance counters on domain controllers
in the domain.
• Performance Log Users - Members of this group
can manage performance counters, logs and alerts on domain
controllers in the domain.
• Pre-Windows 2000 Compatible Access - Members
of this group have read access to all users and groups in
the domain. This group provides backward compatibility for
computers running Windows version pre-Windows 2000, such as
Windows NT 4. The Everyone group is a member of this group
• Print Operators - Members of this group have
the appropriate rights to administer printers connected to
domain controllers and shared printer objects in the Active
Directory. Print Operators can also log on locally and shutdown
• Remote Desktop Users - Members in this group
are granted the right to logon remotely using a terminal session.
• Replicator – A system group account
used for file replication in a domain. This group has no members
and you should not add them either.
• Server Operators - Members of this group
can administer shared resources on domain servers, start and
stop certain services, and format hard disks. Additionally,
members of this group have the same rights Backup Operators
• Users – Members of this group have
sufficient permissions and rights to run certified Windows
applications, but cannot run most legacy applications. This
prevents regular users from making system-wide changes.
The following default groups reside in the
Users container in the Active Directory. The Users
container contains domain local, global, and universal scope
default groups. These groups can be moved to another OU if
• Cert Publishers - Members of this group can
publish digital certificates for users and computers.
• DnsAdmins - Members of this group have permissions
to administer DNS.
• DnsUpdateProxy - Members of this group can
act as a DNS proxy for clients. A DHCP server that handles
dynamic updates for DCHP clients should be a member of this
• Domain Admins - Members of this group have
full control of the domain. This group is a member of the
Administrators group on all domain members including domain
controller. The Administrator user account is a member of
this group by default.
• Domain Computers - This group contains all
the computer accounts of the client and servers joined to
• Domain Controllers - This group contains
all domain controllers in the domain.
• Domain Guests - This group contains all domain
• Domain Users - This group contains all domain
users. When you create a new user account in the domain, it
will automatically become a member of the Domain Users group.
• Enterprise Admins - Members of this group
have full control of all domains in the forest. This group
is a member of the Administrators group on all domain controllers
in the forest. The Administrator user account is a member
of this group by default.
• Group Policy Creator Owners - Members of
this group can modify Group Policy settings in the domain.
The Administrator user account is a member of this group by
• IIS_WPG – A system group account used
by Internet Information Services (IIS) 6.0.
• RAS and IAS Servers - Servers in this group
have access to the remote access properties of users. This
group is used for IAS servers that perform authentication
for a collection of RRAS servers.
• Schema Admins - Members of this group can
modify the Active Directory schema. The Administrator user
account is a member of this group by default.
The following special identities
can also be considered groups as they allow you to assign
permissions to a dynamic group of users:
• Everyone – Includes everyone with a
• Anonymous Logon – Includes everyone
without a user account.
• Network - Includes users that are currently
logged on to a computer over the network. This is the opposite
of the Interactive group.
• Interactive – Includes users that are
currently logged on to the local computer. This is the opposite
of the Network group.
Groups are created by using the Active Directory Users and
Computers MMC snap-in. To create a new group, right-click
the domain or OU in which you want to create the user, select
New, and then click Group. The New Object – Group dialog,
displayed below, will open. You will need to provide a name
and you can choose the group scope and group type.
When you open the properties sheet of an
existing group, you can associate a description and an e-mail
address with the group and change the scope and type on the
General tab. The Members tab of the group’s properties
allows you to add members to this group, and the Member Of
tab allows you to join this group to other groups. On the
Managed By tab, you can specify a person that is responsible
for this group, and specify whether this person should be
able to add and remove members to and from this group.
You can move a group to another container,
from the Users container to a departmental OU for example,
by right-clicking the group and selecting Move from the context
menu. With the exception of universal groups, groups can be
moved within a domain only. When you move a universal group
from one domain to another, you will have to reassign permissions
and rights as they will be lost in the process. The member
settings of the universal group will be retained.
Find domain groups in which a user
is a member
On a large Active Directory with many group it can be hard
to keep track of which groups a user belongs to. The Member
Of tab of a user’s properties, displays a list of groups
the user is a member of. It does not show groups that reside
in trusted domains but the user is a member of. For a more
complete list of groups a user belongs too, you can use the
Dsget.exe command line utility. The syntax for displaying
group membership is:
dsget user UserDN -memberof -expand
The UserDN parameter is the user’s distinguished name,
dsget user "CN=Johan Hiemstra,CN=users,dc=testdomain,dc=techexams,dc=corp"
Without the -expand option, only the groups the user is joined
to directly are displayed. With this option, each group is
expanded to determine membership through nested groups. For
example, when a user is a member of the Domain Users default
group, it is also a member of the Users built-in group, because
the Domain Users group is a member of the Users group.
here for more information about the dsget command.
Automated Group Management
Instead of creating and modifying groups manually, you can
also automate group management using command-line utilities.
Csvde.exe is one of the tools that can be used to perform
batch changes to the Active Directory. It can be used to import
and export data from and to a file in comma separated value
(CSV) format. Ldifde.exe is a more advanced tool that allows
you to create, modify, and delete active directory objects.
You can use Ldifde to extend the schema, and export and import
Active Directory user and group data to or from other directories.
here for more information about the Csvde.exe command
here for more information about the Ldifde.exe command