Platform SDK: Active Directory, ADSI, and Directory Services

Creating Groups in a Domain

To add a group to Active Directory, you create a group object in the domain container of the domain where you want to place the group. Groups can be created at the root of the domain, within an organizational unit, or within a container.

When you create a group object, you must also set the following attributes to make the object a legal group that Active Directory and the Windows® security system can recognize.

cn
Required. Specify the name of the group object in the directory. This will be the object's relative distinguished name within the container where you create the group.
groupType
Required. Specify an integer that contains the flags that specify the group type and scope using the following combinations.
Group Flags
Domain Local Distribution ADS_GROUP_TYPE_DOMAIN_LOCAL_GROUP
Domain Local Security ADS_GROUP_TYPE_DOMAIN_LOCAL_GROUP | ADS_GROUP_TYPE_SECURITY_ENABLED
Global Distribution ADS_GROUP_TYPE_GLOBAL_GROUP
Global Security ADS_GROUP_TYPE_GLOBAL_GROUP | ADS_GROUP_TYPE_SECURITY_ENABLED
Universal Distribution ADS_GROUP_TYPE_UNIVERSAL_GROUP
Universal Security ADS_GROUP_TYPE_UNIVERSAL_GROUP | ADS_GROUP_TYPE_SECURITY_ENABLED

If the group is intended for setting access control on directory objects, you should create Global Security or Universal Security groups.

Note  Universal Security groups can only be created on Windows® 2000 domains running in native mode. For more information about detecting mixed and native mode, see Detecting the Operation Mode of a Domain.

sAMAccountName
Required. Specify a string that is the name used to support clients and servers from a previous version. The sAMAccountName should be less than 20 characters to support clients of a previous version of Windows NT®.

The sAMAccountName must be unique among all security principal objects within the domain. You should perform a query against the domain to verify that the sAMAccountName is unique within the domain.

Optionally, you can set the member property when creating the group object (using IDirectoryObject::CreateDSObject) to add members (users, groups, or contacts). Or if you use IADsContainer::Create to create the group, you can use IADsGroup::Add to set the member property directly after creation. For more information about adding members to a group, see Adding Members to Groups in a Domain.