Add or Remove a Computer Account from a Group
You want to add or remove a computer account from an Active Directory security group.
Using a graphical user interface
Using a command-line interface
To add a computer object to a group, use the following syntax:
> admod b "<GroupDN>" member:+:"<ComputerDN>"
' This code adds and removes a computer object from a group. ' ------ SCRIPT CONFIGURATION ------ strGroupDN = "<GroupDN>" ' e.g. cn=SalesGroup,ou=Groups,dc=rallencorp,dc=com strComputerDN = "<ComputerDN>" ' e.g. cn=Fin101,cn=Computers,dc=rallencorp,dc=com ' ------ END CONFIGURATION --------- set objGroup = GetObject("LDAP://" & strGroupDN) ' Add a member objGroup.Add("LDAP://" & strComputerDN) ' Remove a member objGroup.Remove("LDAP://" & strComputerDN)
In Active Directory, both user and computer objects are security principals that can be assigned rights and permissions within a domain. As such, computer objects can be added to or removed from group objects to make for simpler resource administration. You can make this change through ADUC or ADSI Edit, or by manually editing the member attribute of the appropriate group object.
MSDN: NT-Group-Members attribute [AD Schema] and MSDN: Member Attribute [AD Schema]