Recipe 7.4 Adding and Removing Members of a Group

7.4.1 Problem

You want to add or remove members of a group.

7.4.2 Solution

7.4.2.1 Using a graphical user interface
  1. Follow the same steps as in Recipe 7.2 to view the members of the group.

  2. To remove a member, click on the member name, click the Remove button, click Yes, and click OK.

  3. To add a member, click on the Add button, enter the name of the member, and click OK twice.

7.4.2.2 Using a command-line interface

The -addmbr option adds a member to a group:

> dsmod group "<GroupDN>" -addmbr "<MemberDN>"

The -rmmbr option removes a member from a group:

> dsmod group "<GroupDN>" -rmmbr "<MemberDN>"

The -chmbr option replaces the complete membership list:

> dsmod group "<GroupDN>" -chmbr "<Member1DN Member2DN  . . . >"
7.4.2.3 Using VBScript
' This code adds a member to a group.
' ------ SCRIPT CONFIGURATION ------
strGroupDN = "<GroupDN>"  ' e.g. cn=SalesGroup,ou=Groups,dc=rallencorp,dc=com
strMemberDN = "<MemberDN>" ' e.g. cn=jsmith,cn=users,dc=rallencorp,dc=com
' ------ END CONFIGURATION ---------

set objGroup = GetObject("LDAP://" & strGroupDN)
' Add a member
objGroup.Add("LDAP://" & strMemberDN)
' This code removes a member from a group.
' ------ SCRIPT CONFIGURATION ------
strGroupDN = "<GroupDN>"  ' e.g. cn=SalesGroup,ou=Groups,dc=rallencorp,dc=com
strMemberDN = "<MemberDN>" ' e.g. cn=jsmith,cn=users,dc=rallencorp,dc=com
' ------ END CONFIGURATION ---------

set objGroup = GetObject("LDAP://" & strGroupDN)
' Remove a member
objGroup.Remove("LDAP://" & strMemberDN)

7.4.3 Discussion

Since there are no restrictions on what distinguished names you put in the member attribute, you can essentially have any type of object as a member of a group, which makes groups very useful. While Organizational Units (OUs) are typically used to structure objects that share certain criteria, group objects can be used to create loose collections of objects.

The benefit of using group objects as a collection mechanism is that the same object can be a member of multiple groups whereas an object can only be a part of a single OU. Another key difference is that you can assign permissions on resources to groups because they are considered security principals in Active Directory, whereas OUs are not. This is different from some other directories, such as Novel Netware, where OUs act more like security principals.

7.4.4 See Also

Recipe 7.2 for viewing group membership, MSDN: IADsGroup::Add, and MSDN: IADsGroup::Remove



    Chapter 3. Domain Controllers, Global Catalogs, and FSMOs
    Chapter 6. Users
    Appendix A. Tool List