Share via


Create a New Group

Applies To: Windows Server 2008

Membership in Account Operators, Domain Admins, or Enterprise Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

Creating a new group account

  • Using the Windows interface

  • Using a command line

To create a new group account using the Windows interface

  1. To open Active Directory Users and Computers, click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.

  2. In the console tree, right-click the folder under which you want to create a new group.

    Where?

    • Active Directory Users and Computers/domain node/folder
  3. Point to New, and then click Group.

  4. Type the name of the new group.

    By default, the name that you type is also entered as the pre–Windows 2000 name of the new group.

  5. In Group scope, click one of the options.

    For more information, see the section "Understanding group scope" in Understanding Group Accounts.

  6. In Group type, click one of the options.

    For more information, see the section "Understanding group types" in Understanding Group Accounts.

Additional considerations

  • To perform this procedure, you must be a member of the Account Operators group, Domain Admins group, or Enterprise Admins group in Active Directory Domain Services (AD DS), or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure.

  • Another way to open Active Directory Users and Computers is to click Start, click Run, and then type dsa.msc.

  • To add a group, you can also click the folder in which you want to add the group, and then click the new group icon on the toolbar.

  • If the domain in which you are creating the group is set to the domain functional level of Windows 2000 mixed, you can select only the Security group type with Domain local or Global scopes.

  • A group name cannot be identical to any other group name in the domain.

  • A group name (CN) can contain up to 64 uppercase or lowercase characters.

  • A group name (CN) cannot consist solely of spaces.

  • A group name (pre–Windows 2000) (samAccountName object attribute) can contain up to 256 uppercase of lowercase characters except for the following:

    " / \ [ ] : ; | = , + * ? <>

  • A group name (pre–Windows 2000) (samAccountName object attribute) cannot consist solely of periods or spaces.

  • In Active Directory Users and Computers, by default, the name that you type is also entered as the pre–Windows 2000 name of the new group.

Additional references

To create a new group account using a command line

  1. To open a command prompt, click Start, click Run, type cmd, and then click OK.

  2. Type the following command, and then press ENTER:

    dsadd group <GroupDN> -samid<SAMName> -secgrp {yes|no} -scope {l|g|u}
    
Parameter Description

<GroupDN>

Specifies the distinguished name of the group object to be added.

-samid

Sets the <SAMName> value.

<SAMName>

Specifies the Security Accounts Manager (SAM) name as the unique SAM account name for the group (for example, Operators).

-secgrp

Sets the value for the group type.

{yes|no}

Specifies whether the group that you want to add is a security group (yes) or a distribution group (no).

-scope

Sets the value for the group scope.

{l|g|u}

Specifies whether the scope of the group that you want to add is domain local (l), global (g), or universal (u).

To view the complete syntax for this command, and for information about entering user account information, at a command prompt, type the following command, and then press ENTER:

dsadd group /?

Additional considerations

  • To perform this procedure, you must be a member of the Account Operators group, Domain Admins group, or Enterprise Admins group in AD DS, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure.

  • If the domain in which you are creating the group is set to the domain functional level of Windows 2000 mixed, you can select only the Security group type with Domain local or Global scopes.

  • A group name cannot be identical to any other group name in the domain.

  • A group name (CN) can contain up to 64 uppercase or lowercase characters.

  • A group name (CN) cannot consist solely of spaces.

  • A group name (pre–Windows 2000) (samAccountName object attribute) can contain up to 256 uppercase of lowercase characters except for the following:

    " / \ [ ] : ; | = , + * ? <>

  • A group name (pre–Windows 2000) (samAccountName object attribute) cannot consist solely of periods or spaces.

Note

When you use net group to create a new group account (net group <group_name> /add /domain, for example, net group Group1 /add /domain), if you specify a group name that is longer than 64 characters, the directory service sets the group’s CN to the automatically generated objectSID of the newly created group account and the samAccountName object attribute assumes the name that you specify in the net group command. For more information about net group name restrictions, see NetGroupAdd (https://go.microsoft.com/fwlink/?LinkID=159751).

Additional references