Is there a way to change the Default Primary Group "Domain Users" that AD
automatically assigns when a new user is created?

I'd like new AD users that are created in a specific OU to be assigned
"Domain Guests" as their default Primary Group rather than "Domain Users".

Thanks.

Hi,

The primary group can be changed on per user basis; not on OU basis. So
that means after you create user you can manually change the default
primary group.

The user's primary group applies only to users who log on to the network
through Services for Macintosh or to who run POSIX-compliant applications.
Unless you are using these services, there is no need to change the primary
group from Domain Users, which is the default value.

Setting the user's primary group membership to a value other than Domain
Users may adversely impact performance as all users in the domain are
members of Domain Users. If the user's primary group is set to another
group, it may cause the group membership to exceed the supported maximum
number of members.

Setting the Primary Group for Users and Computers
============================================
Primary groups are used by users who access Windows 2000 through services
for Macintosh. When a Macintosh user creates files or directories on a
Windows 2000 system, the primary group is assigned to these files or
directories. All user and computer accounts must have a primary group
regardless of whether the accounts access Windows 2000 systems through
Macintosh. This group must be a group with global or universal scope, such
as the global group Domain Users or the global group Domain Computers. To
set the primary group, complete the following steps:

1 Double-click the user, computer, or group entry in Active Directory Users
And Computers. This opens the account's Properties dialog box.
2. Select the Member Of tab.
3. Select a group with global or universal scope in the Member Of list box.
4. Click Set Primary Group.

All users must be a member of at least one primary group. You can't revoke
membership in a primary group without first assigning the user to another
primary group. To do this, complete the following steps:

1. Select a different group with global or universal scope in the Member of
list box, and then click Set Primary Group.
2. In the Member of list box, click the former primary group and then click
Remove. The group membership is now revoked.

Thanks,

(E-Mail Removed)

This posting is provided "AS IS" with no warranties, and confers no rights.

Thanks for the response.
We want to change the default Primary group for our external Sharepoint
Services users. We use Sharepoint Services in AD Mode and don't want new
Sharepoint users to be automatically assigned to the Domain Users group. It
would be more appropriate if they were assigned Domain Guests or some other
customized Domain group.

We've contacted Sharepoint support services, but they said this issue is
more of an AD specific problem.

"S.J.Haribabu" wrote:

> Hi,
>
> The primary group can be changed on per user basis; not on OU basis. So
> that means after you create user you can manually change the default
> primary group.
>
> The user's primary group applies only to users who log on to the network
> through Services for Macintosh or to who run POSIX-compliant applications.
> Unless you are using these services, there is no need to change the primary
> group from Domain Users, which is the default value.
>
> Setting the user's primary group membership to a value other than Domain
> Users may adversely impact performance as all users in the domain are
> members of Domain Users. If the user's primary group is set to another
> group, it may cause the group membership to exceed the supported maximum
> number of members.
>
> Setting the Primary Group for Users and Computers
> ============================================
> Primary groups are used by users who access Windows 2000 through services
> for Macintosh. When a Macintosh user creates files or directories on a
> Windows 2000 system, the primary group is assigned to these files or
> directories. All user and computer accounts must have a primary group
> regardless of whether the accounts access Windows 2000 systems through
> Macintosh. This group must be a group with global or universal scope, such
> as the global group Domain Users or the global group Domain Computers. To
> set the primary group, complete the following steps:
>
> 1 Double-click the user, computer, or group entry in Active Directory Users
> And Computers. This opens the account's Properties dialog box.
> 2. Select the Member Of tab.
> 3. Select a group with global or universal scope in the Member Of list box.
> 4. Click Set Primary Group.
>
> All users must be a member of at least one primary group. You can't revoke
> membership in a primary group without first assigning the user to another
> primary group. To do this, complete the following steps:
>
> 1. Select a different group with global or universal scope in the Member of
> list box, and then click Set Primary Group.
> 2. In the Member of list box, click the former primary group and then click
> Remove. The group membership is now revoked.
>
> Thanks,
>
> (E-Mail Removed)
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
>
>
>

"Davidi" <(E-Mail Removed)> wrote in message
news:712316A0-2DAF-4EB2-A09B-(E-Mail Removed)...
> Thanks for the response.
> We want to change the default Primary group for our external Sharepoint
> Services users. We use Sharepoint Services in AD Mode and don't want new
> Sharepoint users to be automatically assigned to the Domain Users group.
It
> would be more appropriate if they were assigned Domain Guests or some
other
> customized Domain group.
>
> We've contacted Sharepoint support services, but they said this issue is
> more of an AD specific problem.

How about setting up a _template user and always
COPYING the user rather than creating it directly?

This is a good practice anyway.

--
Herb Martin


>
> "S.J.Haribabu" wrote:
>
> > Hi,
> >
> > The primary group can be changed on per user basis; not on OU basis. So
> > that means after you create user you can manually change the default
> > primary group.
> >
> > The user's primary group applies only to users who log on to the network
> > through Services for Macintosh or to who run POSIX-compliant
applications.
> > Unless you are using these services, there is no need to change the
primary
> > group from Domain Users, which is the default value.
> >
> > Setting the user's primary group membership to a value other than Domain
> > Users may adversely impact performance as all users in the domain are
> > members of Domain Users. If the user's primary group is set to another
> > group, it may cause the group membership to exceed the supported maximum
> > number of members.
> >
> > Setting the Primary Group for Users and Computers
> > ============================================
> > Primary groups are used by users who access Windows 2000 through
services
> > for Macintosh. When a Macintosh user creates files or directories on a
> > Windows 2000 system, the primary group is assigned to these files or
> > directories. All user and computer accounts must have a primary group
> > regardless of whether the accounts access Windows 2000 systems through
> > Macintosh. This group must be a group with global or universal scope,
such
> > as the global group Domain Users or the global group Domain Computers.
To
> > set the primary group, complete the following steps:
> >
> > 1 Double-click the user, computer, or group entry in Active Directory
Users
> > And Computers. This opens the account's Properties dialog box.
> > 2. Select the Member Of tab.
> > 3. Select a group with global or universal scope in the Member Of list
box.
> > 4. Click Set Primary Group.
> >
> > All users must be a member of at least one primary group. You can't
revoke
> > membership in a primary group without first assigning the user to
another
> > primary group. To do this, complete the following steps:
> >
> > 1. Select a different group with global or universal scope in the Member
of
> > list box, and then click Set Primary Group.
> > 2. In the Member of list box, click the former primary group and then
click
> > Remove. The group membership is now revoked.
> >
> > Thanks,
> >
> > (E-Mail Removed)
> >
> > This posting is provided "AS IS" with no warranties, and confers no
rights.
> >
> >
> >
> >
> >

That's a good idea, but the AD users are created from the Sharepoint Services
interface. We don't manually create Sharepoint users from AD even though
they are stored in AD Users and Computers.

"Herb Martin" wrote:

> "Davidi" <(E-Mail Removed)> wrote in message
> news:712316A0-2DAF-4EB2-A09B-(E-Mail Removed)...
> > Thanks for the response.
> > We want to change the default Primary group for our external Sharepoint
> > Services users. We use Sharepoint Services in AD Mode and don't want new
> > Sharepoint users to be automatically assigned to the Domain Users group.
> It
> > would be more appropriate if they were assigned Domain Guests or some
> other
> > customized Domain group.
> >
> > We've contacted Sharepoint support services, but they said this issue is
> > more of an AD specific problem.
>
> How about setting up a _template user and always
> COPYING the user rather than creating it directly?
>
> This is a good practice anyway.
>
> --
> Herb Martin
>
>
> >
> > "S.J.Haribabu" wrote:
> >
> > > Hi,
> > >
> > > The primary group can be changed on per user basis; not on OU basis. So
> > > that means after you create user you can manually change the default
> > > primary group.
> > >
> > > The user's primary group applies only to users who log on to the network
> > > through Services for Macintosh or to who run POSIX-compliant
> applications.
> > > Unless you are using these services, there is no need to change the
> primary
> > > group from Domain Users, which is the default value.
> > >
> > > Setting the user's primary group membership to a value other than Domain
> > > Users may adversely impact performance as all users in the domain are
> > > members of Domain Users. If the user's primary group is set to another
> > > group, it may cause the group membership to exceed the supported maximum
> > > number of members.
> > >
> > > Setting the Primary Group for Users and Computers
> > > ============================================
> > > Primary groups are used by users who access Windows 2000 through
> services
> > > for Macintosh. When a Macintosh user creates files or directories on a
> > > Windows 2000 system, the primary group is assigned to these files or
> > > directories. All user and computer accounts must have a primary group
> > > regardless of whether the accounts access Windows 2000 systems through
> > > Macintosh. This group must be a group with global or universal scope,
> such
> > > as the global group Domain Users or the global group Domain Computers.
> To
> > > set the primary group, complete the following steps:
> > >
> > > 1 Double-click the user, computer, or group entry in Active Directory
> Users
> > > And Computers. This opens the account's Properties dialog box.
> > > 2. Select the Member Of tab.
> > > 3. Select a group with global or universal scope in the Member Of list
> box.
> > > 4. Click Set Primary Group.
> > >
> > > All users must be a member of at least one primary group. You can't
> revoke
> > > membership in a primary group without first assigning the user to
> another
> > > primary group. To do this, complete the following steps:
> > >
> > > 1. Select a different group with global or universal scope in the Member
> of
> > > list box, and then click Set Primary Group.
> > > 2. In the Member of list box, click the former primary group and then
> click
> > > Remove. The group membership is now revoked.
> > >
> > > Thanks,
> > >
> > > (E-Mail Removed)
> > >
> > > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> > >
> > >
> > >
> > >
> > >
>
>
>