Groups are Active Directory objects designed to make a network administrator's life easier. They are designed to manage and grant access to shared resources, create e-mail distribution lists, and filter group policy. They differ from organization units in that a group can contain users, computers, and shared resources that may reside on a single server, within a single domain, or on multiple domains in a forest. Organization units contain objects within the context of a single domain. For details, including group nesting, scope, and the differences in group operation under native vs. mixed mode domain controllers, see
Let's say you have a large sales department consisting of "reps" and "management" users. Everyone in the department will need access to certain resources, like print queues and distribution lists, while only "management" users should be granted access to some objects.
These users can best be managed through groups of type security. First, create a department group sales. You'll need to assign a common name and set the group type to either
ADS_GROUP_TYPE_DOMAIN_LOCAL_GROUP | ADS_GROUP_TYPE_SECURITY_ENABLED, ADS_GROUP_TYPE_GLOBAL_GROUP | ADS_GROUP_TYPE_SECURITY_ENABLED, or ADS_GROUP_TYPE_UNIVERSAL_GROUP | ADS_GROUP_TYPE_SECURITY_ENABLED.Note that the latter scope is only supported on Win 2000 domains in native mode.
Code to create the group can be found at http://msdn.microsoft.com/library/default.asp?URL=/library/psdk/adsi/glgroup_1kq8.htm
Repeat the process to create a reps group and a management group.
Add members to their proper (reps or management) group using IADsGroup::Add:
To add the user "jdoe" to the group reps on domain TechTarget using Win NT provider services:
Dim grp As IADsGroup Set grp = GetObject("WinNT://Techtarget/reps") grp.Add ("WinNT://Techtarget/jdoe")
For snippets using LDAP provider services or C++, see http://msdn.microsoft.com/library/psdk/adsi/if_pers_8ulg.htm
Repeat the process to add the reps and management groups to the sales group.
You can now control access to data and resources through the groups instead of setting permissions for individual users. Print queues, for example, might grant access to the sales group, and therefore be available to all department personnel. Some distribution lists (another type of group) might be available only to reps, while other resources can be available to only management. When a new sales rep is hired, adding the new user account to the rep group will automatically provide the person with all the authorization to which they are entitled.
Kevin Sharp is a registered professional engineer and writer living in Tucson, Arizona who gains his expertise from a variety of professional activities. His engineering outlets include web consulting for ID Systems Magazine, focusing on the fulfillment side of electronic commerce.
Did you like this tip? Let us know. You can drop a line to sound off.
This was first published in June 2001