Directory Services

Creating Groups in a Domain

A group object is created in Active Directory in the domain container where the new group will be contained. Groups can be created at the root of the domain, within an organizational unit, or within a container. To create a group object, use the IADsContainer::Create or the IDirectoryObject::CreateDSObject method.

The following table lists attributes that are required to make the group object a legal group that Active Directory and the Windows security system will recognize.

Attribute Description
cn Specifies the name of the group object in the directory. This will be the object's relative distinguished name within the container where the group is created.
groupType Contains an integer that specifies the group type and scope. The ADS_GROUP_TYPE_ENUM enumeration defines the possible values for the groupType attribute.

The following table defines common group types and values for this attribute.

Group Flags
Domain Local Distribution ADS_GROUP_TYPE_DOMAIN_LOCAL_GROUP
Domain Local Security ADS_GROUP_TYPE_DOMAIN_LOCAL_GROUP | ADS_GROUP_TYPE_SECURITY_ENABLED
Global Distribution ADS_GROUP_TYPE_GLOBAL_GROUP
Global Security ADS_GROUP_TYPE_GLOBAL_GROUP | ADS_GROUP_TYPE_SECURITY_ENABLED
Universal Distribution ADS_GROUP_TYPE_UNIVERSAL_GROUP
Universal Security ADS_GROUP_TYPE_UNIVERSAL_GROUP | ADS_GROUP_TYPE_SECURITY_ENABLED

If the group is intended for setting access control on directory objects, the group should be a Global Security or Universal Security group.

Be aware that Universal Security groups can only be created on Windows® 2000 domains running in native mode. For more information about detecting mixed and native mode, see Detecting the Operation Mode of a Domain.

sAMAccountName Contains a string that is the name used to support clients and servers from a previous version. The sAMAccountName should be less than 20 characters to support clients of a previous version of Windows NT.

The sAMAccountName must be unique among all security principal objects within the domain. A query should be performed against the domain to verify that the sAMAccountName is unique within the domain.

The members of the group can be added at creation time using the IDirectoryObject::CreateDSObject method. Optionally, members can be added to the group after creation using the IADsGroup::Add method. For more information about adding members to a group, see Adding Members to Groups in a Domain.