2.7.2.9 Create a Security Group - Client Application
In this use case, an administrator wants to create a security group to be used for access-control decisions. The administrator launches a client application to create the new security group. The client application establishes a connection to the Active Directory system.
Goal
Create a new security group in the directory.
Context of Use
An administrator wants to create a security group to be used for access-control decisions.

Figure 22: Use case diagram for creating a security group
Actors
Client application
The client application is the primary actor. It is the entity that prepares the connection to the directory server, submits the request to create the security group, and relays the response to the administrator.
Windows Authentication Services
Windows Authentication Services [MS-AUTHSOD] is the supporting actor that authenticates the administrator's identity so that the Active Directory system can make access-control decisions.
Directory server
The directory server is the supporting actor that receives the creation request and creates the security group.
Stakeholders
Administrator
The administrator initiates operations such as create, reset, change, query for group members, create a security group, modify the group member list, and delete on an account. The administrator primarily wants to receive information that the operations are successfully completed or receive an error message if they failed.
Directory
The directory is the entity that contains the security group being created.
Preconditions
The system-wide preconditions, as described in section 2.6, are satisfied. The Active Directory system completes initialization, as described in section 2.6.
The client application has connectivity to a directory server to which it can establish a connection, if it is not already connected, and send the request.
Main Success Scenario
Trigger: The administrator provides the group name for the new security group as input to the client application, along with credentials, and invokes the operation that creates a new security group.
The client application establishes a connection to the directory server. Windows Authentication Services authenticates the client application by using the supplied credentials ([MS-AUTHSOD] section 2).
The client application sends a request to the directory server to create a new security group and specifies the group name for the new group.
The directory server verifies that the credentials that are supplied through the client application have the necessary access-control rights to complete the operation ([MS-ADTS] section 5.1.3).
The directory server validates the constraints on the new group name, as described in [MS-SAMR] sections 3.1.1.6 and 3.1.1.8.4.
The directory server creates an object in the directory that represents the new security group with the group name supplied by the client. The directory object is additionally populated with attributes that are mandated by the server's processing rules and constraints ([MS-ADTS] sections 3.1.1.5.1 and 3.1.1.5.2).
The directory server sends a response to the client application that the new security group has been successfully created.
Postcondition
The new security group is created and ready for use.
Extensions
If the credentials that are supplied through the client application have insufficient access-control rights to create the new security group:
1-4. Same as Main Success Scenario.
5. The directory server sends a response to the client application that the supplied credentials have insufficient access-control rights to create the new security group.
If the group name that the administrator supplies does not satisfy the group name constraints, as described in [MS-SAMR] section 3.1.1.6:
1-5. Same as Main Success Scenario.
6. The directory server sends a response to the client application that the specified group name does not meet the constraints.
If the group name that is supplied through the client application is not unique, as described in [MS-SAMR] section 3.1.1.8.4:
1-5. Same as Main Success Scenario.
6. The directory server sends a response to the client application that the specified group name is already in use by an existing group.