Using groups to administer Active Directory resources

Groups are Active Directory objects designed to make a network administrator's life easier. They are designed to manage and grant access to shared resources, create e-mail distribution lists, and filter group policy. They differ from organization units in that a group can contain users, computers, and shared resources that may reside on a single server, within a single domain, or on multiple domains in a forest. Organization units contain objects within the context of a single domain. For details, including group nesting, scope, and the differences in group operation under native vs. mixed mode domain controllers, see

Requires Free Membership to View


Let's say you have a large sales department consisting of "reps" and "management" users. Everyone in the department will need access to certain resources, like print queues and distribution lists, while only "management" users should be granted access to some objects.

These users can best be managed through groups of type security. First, create a department group sales. You'll need to assign a common name and set the group type to either

Note that the latter scope is only supported on Win 2000 domains in native mode.

Code to create the group can be found at http://msdn.microsoft.com/library/default.asp?URL=/library/psdk/adsi/glgroup_1kq8.htm

Repeat the process to create a reps group and a management group.

Add members to their proper (reps or management) group using IADsGroup::Add:

To add the user "jdoe" to the group reps on domain TechTarget using Win NT provider services:

Dim grp As IADsGroup
Set grp = GetObject("WinNT://Techtarget/reps")
grp.Add ("WinNT://Techtarget/jdoe")

For snippets using LDAP provider services or C++, see http://msdn.microsoft.com/library/psdk/adsi/if_pers_8ulg.htm

Repeat the process to add the reps and management groups to the sales group.

You can now control access to data and resources through the groups instead of setting permissions for individual users. Print queues, for example, might grant access to the sales group, and therefore be available to all department personnel. Some distribution lists (another type of group) might be available only to reps, while other resources can be available to only management. When a new sales rep is hired, adding the new user account to the rep group will automatically provide the person with all the authorization to which they are entitled.

Kevin Sharp is a registered professional engineer and writer living in Tucson, Arizona who gains his expertise from a variety of professional activities. His engineering outlets include web consulting for ID Systems Magazine, focusing on the fulfillment side of electronic commerce.

Did you like this tip? Let us know. You can drop a line to sound off.

This was first published in June 2001

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.