Adding Members to Groups in a Domain

A group can contain any number of users, contacts, or other groups as members. The following list lists the attributes of the group object that control group membership.

AttributeDescription

member

The member attribute contains the distinguished names for the objects that are members of the group.

memberOf

The memberOf attribute contains the distinguished names of groups that contain the group as a direct member. The memberOf attribute does not contain any inherited group membership data. For example, if GroupA is a member of GroupB and GroupB is a member of GroupC, the memberOf attribute for GroupA will contain GroupB, but not GroupC.

The Active Directory server maintains this property. When a distinguished name is added to the member property of another group, that other group's distinguished name is added to this group's memberOf property.

 

Each of the following methods can be used to add a member to a group. You can add a member by using the distinguished name of the member or binding to the member object and then adding the member object to the group object.

To add a member that belongs to a downlevel domain to a group in an uplevel domain, use the bindable form of the SID string for the distinguished name. For more information and a code example that shows how to convert an objectSid into a bindable string, see the GetLDAPSidBindStringFromVariantSID example function in Example Code for Converting an objectSid into a Bindable String.

Adding Members to a Group by Using IADsGroup

The IADsGroup interface can be used to add members to a group by using the IADsGroup.Add method. Bind to and obtain the IADsGroup interface for the group object. Then the IADsGroup.Add method can be used to add members to the group.

Adding Members to a Group by Using IDirectoryObject

The IDirectoryObject interface can be used to add members to a group by using the IDirectoryObject::SetObjectAttributes method to modify the member attribute for the group. Bind to and obtain the IDirectoryObject interface for the group object. Then use the IDirectoryObject::SetObjectAttributes method to modify the member attribute.

Note  Because the member attribute has multiple values, ensure that you use the ADS_ATTR_APPEND control code to add a distinguished name to the member attribute. Using the ADS_ATTR_UPDATE control code will cause the existing member values to be overwritten.
 

The IDirectoryObject interface can also be used to add members to a group when the group is created by specifying the members in the pAttributeEntries parameter of the IDirectoryObject::CreateDSObject method.

Adding Members to a Group by Using System.DirectoryServices

You can use the System.DirectoryServices namespace to add members to a group by using the PropertyValueCollection.Add method on the member property of the group object. For more information, see Setting Properties on Directory Objects.

Adding Members to a Group by Using the LDAP API

You can use the Lightweight Directory Access Protocol API to add members to a group by using one of the ldap_modify* functions. For more information, see Modifying a Directory Entry.

 

 

Show: