Controlling which type of group you create is difficult. My advice is start by creating a computer object
and then progress to my simple group example. Only attempt this script if you have at least a passing knowledge of VBScript. The heart of the difficult is this, whilst there is only one type of computer or user object, there are 6
types of groups. Furthermore, no other common Active Directory object needs the CONST ADS_GROUP_TYPE statement to control its construction.
Topics for Creating a Group Account with a
Whenever you consider groups, pay close
attention to the Group scope and Group types and Scope, for example there are 3 scopes and 2 types of group, which makes a total of 6 different combinations.
The default of Global Security is relatively easy to script, but if you wish to create a
Universal Distribution groups then you have to master the ADS_GROUP_TYPE constant. No other object requires this CONST statement, which is one reason why creating groups is so tricky.
Note 1: Do not worry about the apparent inconsistency that Active Directory Users and Computers refers to Global as a Group scope but VBScript
refers to it as a 'TYPE as in; TYPE_GLOBAL_GROUP.
Note 2: The H in &H2 tells VBScript that this is a hex number. Just for interest, below are the decimal equivalent values. Admire, but
on no account use the decimal numbers, they will not work. My point is that VBScript is fussy about CONST. I mean really fussy, to take another example, spaces are not allowed, either (&H 8) or (& H8) will raise a syntax error.
It must be precisely (&H8) with no spaces.
When we analyzed groups, we discovered that they have two properties, type and scope. This is why
groups is more difficult than scripting computers or OUs. There is a knack to combining both properties, it is eccentric, but the statement needs the word 'Or'. Surprisingly nothing else works.
Forget 'and', say no to ampersand, I repeat, just type,
'or' between the two halves.
objGroup.Put "groupType", _ ADS_GROUP_TYPE_UNIVERSAL_GROUP Or ADS_GROUP_TYPE_SECURITY_ENABLED
As you may know, the first _ (Underscore) tells VBScript to interpret both lines as a single command. The CONST names have zillions of underscores which may be confusing, but that's just the way
VBScript defines them. (Remember I did advise starting with a simple script such as creating a computer)
Guy Recommends: SolarWinds' Free Bulk Import Tool
Import users from a spreadsheet. Just provide a list of the
users with their fields in the top row, and save as .csv file.
Then launch this FREE utility and match your fields with AD's
attributes, click and import the users.
While this script creates a Universal Security group, you could amend the CONST ADS
statement to create a Security Distribution group. The reason I chose this particular combination of Universal and Security was that I wanted a different group from my simple create group script. This is what we are aiming
for, see Newport Bosses in the diagram below:
I recommend that you logon at a domain controller. If you are a long way from the server, Remote Desktop would be a suitable alternative. If that is not possible, you
could get these scripts to work from an XP machine as a non-administrator. However, why introduce extra complications? Especially at the beginning, you want easy success, with fewest obstacles.
Instructions for Creating Group Accounts in Active Directory
You should run this VBScript on a Windows Active Directory domain.
Copy and paste the example script below into notepad or a VBScript editor.
Decide whether to change the value for strGroup.
Save the file with a .vbs extension, for example: Groups .vbs.
Double click Groups .vbs and check the strOU for your new group.
Sample Script to Create a Universal Security Group
' UniversalSecurityGroup.vbs ' Sample VBScript to create a Universal Security Group ' Author Guy Thomas http://computerperformance.co.uk/ ' Version 2.2 - May 2010 '
----------------------------------------------------------' Option Explicit Dim strOU, strNewGroup, strNewGroupLong, strDNSDomain Dim objOU, objGroup, objRootDSE Dim strGuyGp, strGPType
Const ADS_GROUP_TYPE_UNIVERSAL_GROUP = &h8 Const ADS_GROUP_TYPE_SECURITY_ENABLED = &H80000000 ' If you want a Universal group, here is the CONST ' Const ADS_GROUP_TYPE_GLOBAL_GROUP = &h2
sure the OU referenced by strOU exists ' Option change the strNewGroup = "UniNewportManagers" strOU = "OU=Newport ," strNewGroup = "Newport Bosses" strNewGroupLong = "CN=" & strNewGroup
Bind to Active Directory Set objRootDSE = GetObject("LDAP://RootDSE") strDNSDomain = objRootDSE.Get("DefaultNamingContext")
' Create new Group Set objOU = GetObject("LDAP://" & strOU &
strDNSDomain ) Set objGroup = objOU.Create("Group",strNewGroupLong) objGroup.Put "sAMAccountName", strNewGroup
' Here is where you set the group Type and Scope objGroup.Put "groupType",
ADS_GROUP_TYPE_UNIVERSAL_GROUP _ or ADS_GROUP_TYPE_SECURITY_ENABLED objGroup.setInfo
Note 1: I divided the example script into 5 Sections. At the top is the usual header section with extra statements to declare the CONST values.
As with most of my sample scripts, check that your strOU variable matches the reality of your domain. Decide on the name of your group, mine was 'Newport Bosses'.
Note 3: In the middle
is a short section that binds to Active Directory.
Note 4: objOU.Create("Group",strNewGroupLong) is where the group is created.
Note 5: The key part of the script is objGroup.Put
"groupType", here is where we assign the group characteristics, in this case Universal and Security.
Note 6: Curiously, there is no specific command to create a Distribution Group, as
opposed to a security group. What you must do is rely on the fact that distribution is the default, so if you declare only a scope, then it will automatically create that group as a distribution
group. Example of (global) distribution group: objGroup.Put "groupType", ADS_GROUP_TYPE_GLOBAL_GROUP objGroup.setInfo.
To master creating Active Directory groups, find out all you can about how the CONST ADS defines the 6 possible types of group. My advice is to practice creating a simpler
object such as computer or contact, then move on to scripting groups. It is also worth 'walking through', how you create a group in Active Directory Users and Computers.
If you like this page then please share it with your friends