Directory Services

Adding Domain Objects to Machine Local Groups on Member Servers and Windows 2000 Professional

When a member server or a computer running on Windows NT® Workstation or Windows® 2000 Professional is a member of a Windows 2000 domain, the users and groups that belong to the domain can be added to groups on the local computer to grant rights to the domain user or group on that particular computer.

When managing groups on a Windows 2000 domain using ADSI, the LDAP provider is normally used. When managing groups on member servers and a computer running Windows NT Workstation/Windows 2000 Professional, however, the WinNT provider must be used.

Only local groups can be created on member servers and Windows 2000 Professional. However, the local groups can contain any of the following:

To add a domain user or group object to a machine local group, perform the following steps

  1. Bind to the IADsContainer interface of the computer that contains the group to add a member to using the following rules
  2. Use the IADsContainer.GetObject method with group as the class and the group name as the name of the object to bind to the group.
  3. Bind to the IADsGroup interface of the group to add a member to.
  4. Construct the ADsPath of the of the object to add to the group in the form WinNT://<domain>/<name>, where <domain> is the name of the domain that contains the object to add and <name> is the name of the object to add.
  5. Add the user or group to the group with the IADsGroup.Add method, passing the ADsPath constructed in the previous step.

For more information and a code example that shows how to add a domain user or group object to a local group, see Example Code for Adding a Domain Object to a Matching Local Group.