Platform SDK: Active Directory, ADSI, and Directory Services |
To add a group to Active Directory, you create a group object in the domain container of the domain where you want to place the group. Groups can be created at the root of the domain, within an organizational unit, or within a container.
When you create a group object, you must also set the following attributes to make the object a legal group that Active Directory and the Windows® security system can recognize.
Group | Flags |
---|---|
Domain Local Distribution | ADS_GROUP_TYPE_DOMAIN_LOCAL_GROUP |
Domain Local Security | ADS_GROUP_TYPE_DOMAIN_LOCAL_GROUP | ADS_GROUP_TYPE_SECURITY_ENABLED |
Global Distribution | ADS_GROUP_TYPE_GLOBAL_GROUP |
Global Security | ADS_GROUP_TYPE_GLOBAL_GROUP | ADS_GROUP_TYPE_SECURITY_ENABLED |
Universal Distribution | ADS_GROUP_TYPE_UNIVERSAL_GROUP |
Universal Security | ADS_GROUP_TYPE_UNIVERSAL_GROUP | ADS_GROUP_TYPE_SECURITY_ENABLED |
If the group is intended for setting access control on directory objects, you should create Global Security or Universal Security groups.
Note Universal Security groups can only be created on Windows® 2000 domains running in native mode. For more information about detecting mixed and native mode, see Detecting the Operation Mode of a Domain.
The sAMAccountName must be unique among all security principal objects within the domain. You should perform a query against the domain to verify that the sAMAccountName is unique within the domain.
Optionally, you can set the member property when creating the group object (using IDirectoryObject::CreateDSObject) to add members (users, groups, or contacts). Or if you use IADsContainer::Create to create the group, you can use IADsGroup::Add to set the member property directly after creation. For more information about adding members to a group, see Adding Members to Groups in a Domain.