ProblemYou want to add or remove members of a group. SolutionUsing a graphical user interface
Using a command-line interfaceUse the lg tool from Joeware.net to add and remove members for local groups. The following command adds a user to a group: > lg <GroupName> <UserName1> <UserName2> ... /add For example: > lg TestGroup rallen gralla /add The following command removes a user from a local group: > lg TestGroup rallen /remove For Active Directory, the -addmbr option of dsmod adds a member to a group: > dsmod group "<GroupDN>" -addmbr "<MemberDN>" For example: > dsmod group "cn=administrators,cn=user,dc=rallencorp,dc=com" -addmbr "cn=rallen,cn=users,dc=rallencorp,dc=com" The -rmmbr option removes a member from a group: > dsmod group "<GroupDN>" -rmmbr "<MemberDN>" The -chmbr option replaces the complete membership list: > dsmod group "<GroupDN>" -chmbr "<Member1DN Member2DN ...>" Using VBScript' This code adds a member to a local group. ' ------ SCRIPT CONFIGURATION ------ strGroupName = "<GroupName>" ' e.g. Administrators strUserName = "<UserName>" ' e.g. rallen strComputer = "<ComputerName>" ' ------ END CONFIGURATION --------- set objGroup = GetObject("WinNT://" & strComputer & "/" & strGroupName) objGroup.Add("WinNT://" & strComputer & "/" & strUserName) WScript.Echo "Done" ' This code removes a member from a local group. ' ------ SCRIPT CONFIGURATION ------ strGroupName = "<GroupName>" ' e.g. Administrators strUserName = "<UserName>" ' e.g. rallen strComputer = "<ComputerName>" ' ------ END CONFIGURATION --------- set objGroup = GetObject("WinNT://" & strComputer & "/" & strGroupName) objGroup.Remove("WinNT://" & strComputer & "/" & strUserName) WScript.Echo "Done" ' This code adds a member to an Active Directory group. ' ------ SCRIPT CONFIGURATION ------ strGroupDN = "<GroupDN>" ' e.g. cn=SalesGroup,ou=Groups,dc=rallencorp,dc=com strMemberDN = "<MemberDN>" ' e.g. cn=jsmith,cn=users,dc=rallencorp,dc=com ' ------ END CONFIGURATION --------- set objGroup = GetObject("LDAP://" & strGroupDN) objGroup.Add("LDAP://" & strMemberDN) WScript.Echo "Done" ' This code removes a member from an Active Directory group. ' ------ SCRIPT CONFIGURATION ------ strGroupDN = "<GroupDN>" ' e.g. cn=SalesGroup,ou=Groups,dc=rallencorp,dc=com strMemberDN = "<MemberDN>" ' e.g. cn=jsmith,cn=users,dc=rallencorp,dc=com ' ------ END CONFIGURATION --------- set objGroup = GetObject("LDAP://" & strGroupDN) objGroup.Remove("LDAP://" & strMemberDN) WScript.Echo "Done" DiscussionUsing VBScriptFor Active Directory, there are no restrictions on what distinguished names you put in the member attribute, so you can essentially have any type of object as a member of a group. While Organizational Units (OUs) are typically used to structure objects that share certain criteria, group accounts can be used to create loose collections of objects. The benefit of using group accounts as a collection mechanism is that the same object can be a member of multiple groups whereas an object can only be a part of a single OU. Another key difference is that you can assign permissions on resources to groups because they are considered security principals in Active Directory, whereas OUs are not. This is different from some other directories, such as Novell Netware, where OUs act more like security principals. See AlsoRecipe 15.11 for viewing group membership, MSDN: IADsGroup::Add, and MSDN: IADsGroup::Remove. |