Modifying Group Attributes






Modifying Group Attributes

Problem

You want to modify one or more attributes of an object.

Solution

Set the last name (sn) attribute for the jsmith user object.

Using a graphical user interface
  1. Open ADSI Edit.

  2. If an entry for the naming context you want to browse is not already displayed, do the following:

    1. Right-click on ADSI Edit in the right pane and click "Connect to.…"

    2. Fill in the information for the naming context, container, or OU containing the group that you want to modify. Click on the Advanced button if you need to enter alternate credentials.

  3. In the left pane, browse to the container or OU that contains the group you want to modify. Once you've found the group, right-click on it and select Properties.

  4. Right-click the attribute that you want to modify and select Edit.

  5. Enter the new value that you want to use and click OK.

  6. Click Apply, followed by OK.

Using a command-line interface

Create an LDIF file called modify_object.ldf with the following contents:

	dn: cn=Finance Users,cn=users,dc=rallencorp,dc=com
	changetype: modify
	add: description
	description: Members of the Finance Department
	-

Then run the following command:

	> ldifde -v -i -f modify_object.ldf

To modify a group using AdMod, you'll use the following general syntax:

	> admodb <GroupDN> <attribute>:<operation>:<value>

For example, you can add a description to a group object using the following syntax:

	> C:\>admod -b cn="Finance Users,cn=Users,dc=rallencorp,dc=com"
	   description::"Members of the Finance Department"

You can also modify group objects with the dsmod group command using the following syntax:

	> dsmod group <GroupDN> <options>

The available options for dsmod include the following:


-samid <NewSAMName>

Updates the sAMAccountName attribute of the group object


-desc <NewDescription>

Updates the description attribute of the group object


-secgrp {yes | no}

Configures the group object as a security group (yes) or a distribution group (no)


-scope {l | g | u}

Configures the group scope as domain local (l), global (g), or universal (u)


{-addmbr | -rmmbr | -chmbr} <MemberDN1> <MemberDN2>

Adds the specified objects to the group (addmbr), removes the specified objects (rmmbr), or replaces the membership list wholesale with only the specified objects (chmbr)

Using VBScript
	strGroupDN = "cn=Finance Users,cn=users,dc=rallencorp,dc=com"
	set objGroup = GetObject("LDAP://" & strGroupDN)
	objGroup.Put "description", "Members of the Finance Department"
	objGroup. 
SetInfo

Discussion

Using a graphical user interface

If the parent container of the object you want to modify has a lot of objects in it, you may want to add a new connection entry for the DN of the target object. This will be easier than trying to hunt through a container full of objects. You can do this by right-clicking ADSI Edit and selecting "Connect to…" under Connection Point, then select Distinguished Name and enter the DN of the object.

Using a command-line interface

For more on ldifde, see Recipe 4.28.

Using VBScript

If you need to do anything more than simple assignment or replacement of a value for an attribute, you'll need to use the PutEx method instead of Put. PutEx allows for greater control of assigning multiple values, deleting specific values, and appending values.

PutEx requires three parameters: update flag, attribute name, and an array of values to set or unset. The update flags are defined by the ADS_PROPERTY_OPERATION_ENUM collection and listed in Recipe 4.14. Finally, SetInfo commits the change. If SetInfo is not called, the creation will not get committed to the domain controller.

See Also

Recipe 4.14, Recipe 4.28, MSDN: IADs::Put, MSDN: IADs::PutEx, MSDN: IADs:: SetInfo, and MSDN: ADS_PROPERTY_OPERATION_ENUM



 Python   SQL   Java   php   Perl 
 game development   web development   internet   *nix   graphics   hardware 
 telecommunications   C++ 
 Flash   Active Directory   Windows