Using the Active Directory command-line tools, in a Windows 2000 domain, or Windows Server 2003 domain, you can create a group, and set its' type and scope, from the command-line.

The syntax is:

dsadd group group_DN -samid SAM_Name -secgrp yes | no -scope l | g | u


<b>group_DN</b>   is the distinguished name of the group, like any of the following:
                     "CN=Accounts Payables,CN=Users,DC=JSIINC,DC=COM"

<b>SAM_Name</b>   is the unique SAM name for the group, like accountants.

<b>yes | no</b>   indicates if the group type is a security group (<b>yes</b>), or a distribution group (<b>no</b>).

<b>l | g | u</b>  is the <a href="/article/jsifaq/jsi-tip-2407-windows-2000-group-types-and-scope-usage-.aspx">group scope</a> where <b>l</b> is domain local, <b>g</b> is global, and <b>u</b> is universal.
           If the domain functional level is Windows 2000 mixed, only security groups with domain local scopes or global scopes are permitted.
To add a member to a group, the syntax is:

dsmod group group_DN -addmbr member_DN where:

<b>group_DN</b>   is the distinguished name of the group.

<b>member_DN</b>  is the distinguished name of the object that you wish to add to the group,
           like <b>"CN=Jerold Schulman,CN=Users,DC=JSIINC,DC=COM"</b>.

<b>NOTE:</b> To delete a group:

<b>dsrm group_DN</b>

<b>NOTE:</b> To delete a member:

<b>dsmod group group_DN -rmmbr member_DN</b>

<b>NOTE:</b> For additional options, type <b>dsadd group /?</b> or <b>dsmod group /?</b>.