How Primary Groups Are Assigned and Changed

For domain accounts, the default primary group is Domain Users. You can change a particular user's primary group by editing the properties of the User object in Active Directory. For more information about changing a user's primary group, see Windows 2000 Server Help.

When a new object is created, the creating process can specify a SID for the object's Primary Group field. If the creating process does not specify a primary group, one is taken from the Default Primary Group field of the subject's access token.

A similar procedure is followed when a user takes ownership of an object. Normally, the thread acting on the user's behalf does not specify a primary group. When it does not, the SID in the Default Primary Group field of the subject's access token is copied to the Primary Group field of the object's security descriptor.