Directory Services |
A group can contain any number of users, contacts, or other groups as members. The following table lists the attributes of the group object that control group membership.
Attribute | Description |
---|---|
member | The member attribute contains the distinguished names for the objects that are members of the group. |
memberOf | The memberOf attribute contains the distinguished names
of groups that contain the group as a direct member. The
memberOf attribute does not contain any inherited group
membership data. For example, if GroupA is a member of GroupB and
GroupB is a member of GroupC, the memberOf attribute for
GroupA will contain GroupB, but not GroupC.
Active Directory maintains this property. When a distinguished name is added to the member property of another group, that other group's distinguished name is added to this group's memberOf property. |
Each of the following methods can be used to add a member to a group.
Each of these methods requires a distinguished name for the group member. To add a member that belongs to a down-level domain to a group in an up-level domain, it is necessary to use the bindable form of the SID string for the distinguished name. For more information and a code example that shows how to convert an objectSid into a bindable string, see the GetLDAPSidBindStringFromVariantSID example function in Example Code for Adding a Member to a Group.
The IADsGroup interface can be used to add members to a group with the IADsGroup.Add method. Bind to and obtain the IADsGroup interface for the group object. Then the IADsGroup.Add method can be used to add members to the group.
The IDirectoryObject interface can be used to add members to a group by using the IDirectoryObject::SetObjectAttributes method to modify the member attribute for the group. Bind to and obtain the IDirectoryObject interface for the group object. Then use the IDirectoryObject::SetObjectAttributes method to modify the member attribute.
Note Because the member attribute is multi-valued, ensure that you use the ADS_ATTR_APPEND control code to add a distinguished name to the member attribute. Using the ADS_ATTR_UPDATE control code will cause the existing member values to be overwritten.
The IDirectoryObject interface can also be to add members to a group when the group is created by specifying specify the members in the pAttributeEntries parameter of the IDirectoryObject::CreateDSObject method.
The System.DirectoryServices namespace can be used to add members to a group with the PropertyValueCollection.Add method on the member property of the group object. For more information, see Setting Properties on Directory Objects.
The Lightweight Directory Access Protocol API can be used to add members to a group with one of the ldap_modify* functions. For more information, see Modifying a Directory Entry.