Platform SDK: Active Directory, ADSI, and Directory Services

Creating Machine Local Groups on Member Servers and Windows 2000 Professional

Only machine local groups (class localGroup) can be created on member servers and Windows® 2000 Professional.

To create a machine local group on a member server or computer running Windows 2000 Professional

  1. Bind to the computer using the following rules:
    1. Use an account that has sufficient rights to access that computer.
    2. Use the following binding string format using the WinNT provider, computer name, and an extra parameter to tell ADSI that it is binding to a computer:

      WinNT://sComputerName , computer

      where sComputerName is the name of the computer who groups you want to access.

      In the binding string, the ",computer" parameter tells ADSI that it is binding to a computer. ADSI makes this information available to the WinNT provider's parser so that it can skip some ambiguity-resolution queries to determine what type of object you are binding to.

    3. Bind to the IADsContainer interface.
  2. Specify "localGroup" as the class using IADsContainer::Create to add the group.

    Note  If you specify "group" as the class, ADSI uses "localGroup". Do not specify the class as "globalGroup". Groups of class "globalGroup" cannot be created on member servers or a computer running Windows NT Workstation/Windows 2000 Professional. If you specify "globalGroup," IADsContainer::Create creates the group in the property cache but IADs::SetInfo does not write the group to the security database and it does not return an error.

  3. Write the group to the computer's security database using IADs::SetInfo.
Built on Tuesday, February 08, 2000