A group object is created in Active Directory in the domain container where the new group will be contained. Groups can be created at the root of the domain, within an organizational unit, or within a container. To create a group object, use the IADsContainer::Create or the IDirectoryObject::CreateDSObject method.
The following table lists attributes that are required to make the group object a legal group that Active Directory and the Windows security system will recognize.
|cn||Specifies the name of the group object in the directory. This will be the object's relative distinguished name within the container where the group is created.|
|groupType||Contains an integer that specifies the group type and scope.
enumeration defines the possible values for the groupType
The following table defines common group types and values for this attribute.
If the group is intended for setting access control on directory objects, the group should be a Global Security or Universal Security group.
Be aware that Universal Security groups can only be created on Windows® 2000 domains running in native mode. For more information about detecting mixed and native mode, see Detecting the Operation Mode of a Domain.
|sAMAccountName||Contains a string that is the name used to support clients and
servers from a previous version. The sAMAccountName should
be less than 20 characters to support clients of a previous version
of Windows NT.
The sAMAccountName must be unique among all security principal objects within the domain. A query should be performed against the domain to verify that the sAMAccountName is unique within the domain.
The members of the group can be added at creation time using the IDirectoryObject::CreateDSObject method. Optionally, members can be added to the group after creation using the IADsGroup::Add method. For more information about adding members to a group, see Adding Members to Groups in a Domain.