Active Directory

July 7, 2011, 3:48 a.m.
posted by trystan

Adding and Removing Members of a Group






Adding and Removing Members of a Group

Problem

You want to add or remove members of a group.

Solution

Using a graphical user interface

  1. Open the ADUC snap-in.

  2. If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select Connect to Domain, enter the domain name, and click OK.

  3. In the left pane, right-click on the domain and select Find.

  4. Enter the name of the group and click Find Now.

  5. Double-click on the group in the bottom results pane.

  6. Click the Members tab.

  7. To remove a member, click on the member name, click the Remove button, click Yes, and click OK.

  8. To add a member, click on the Add button, enter the name of the member, and click OK twice.

Using a command-line interface

The -addmbr option in dsmod adds a member to a group:

	> dsmod group "<GroupDN>" -addmbr "<MemberDN>"

To add a group member with admod, use the following syntax:

	> admod -b "<GroupDN>" member:+:"<MemberDN>"

The -rmmbr option in dsmod removes a member from a group:

	> dsmod group "<GroupDN>" -rmmbr "<MemberDN>"

To remove a group member with admod, use the following syntax:

	> admod -b "<GroupDN>" member:-:"<MemberDN>"

The -chmbr option in dsmod replaces the complete membership list:

	> dsmod group "<GroupDN>" -chmbr "<Member1DN Member2DN … >"

To replace the membership of a group with admod, use the following two commands:

	> admodb "<GroupDN>" :-
	> admod -b "<GroupDN>" member:++:"<Member1DN>;<Member2DN>;<Member3DN>"

Using VBScript
	' This code adds a member to a group.
	' ------ SCRIPT CONFIGURATION ------
	strGroupDN = "<GroupDN>" ' e.g. cn=SalesGroup,ou= 
Groups,dc=rallencorp,dc=com
	strMemberDN = "<MemberDN>" ' e.g. cn=jsmith,cn=users,dc=rallencorp,dc=com
	' ------ END CONFIGURATION ---------

	set objGroup = GetObject("LDAP://" & strGroupDN)
	' Add a member

	objGroup.Add("LDAP://" & strMemberDN)
	' This code removes a member from a group.
	' ------ SCRIPT CONFIGURATION ------
	strGroupDN = "<GroupDN>" ' e.g. cn=SalesGroup,ou= 
Groups,dc=rallencorp,dc=com
	strMemberDN = "<MemberDN>" ' e.g. cn=jsmith,cn=users,dc=rallencorp,dc=com
	' ------ END CONFIGURATION ---------

	set objGroup = GetObject("LDAP://" & strGroupDN)
	' Remove a member
	objGroup.Remove("LDAP://" & strMemberDN)

Discussion

Since there are no restrictions on what distinguished names you put in the member attribute, you can essentially have any type of object as a member of a group. Although OUs are typically used to structure objects that share certain criteria, group objects can be used to create loose collections of objects.

The benefit of using group objects as a collection mechanism is that the same object can be a member of multiple groups, whereas an object can only be a part of a single OU. Another key difference is that you can assign permissions on resources to groups because they are considered security principals in Active Directory, whereas OUs are not. This is different from some other directories, such as Novell NetWare, where OUs act more like security principals.

See Also

Recipe 7.3 for viewing group membership, MSDN: IADsGroup::Add, and MSDN: IADsGroup::Remove



 Python   SQL   Java   php   Perl 
 game development   web development   internet   *nix   graphics   hardware 
 telecommunications   C++ 
 Flash   Active Directory   Windows