Adding Members to Groups in a Domain
A group can contain any number of users, contacts, or other groups as members. The following list lists the attributes of the group object that control group membership.
| Attribute | Description |
|---|---|
| member |
The member attribute contains the distinguished names for the objects that are members of the group. |
| memberOf |
The memberOf attribute contains the distinguished names of groups that contain the group as a direct member. The memberOf attribute does not contain any inherited group membership data. For example, if GroupA is a member of GroupB and GroupB is a member of GroupC, the memberOf attribute for GroupA will contain GroupB, but not GroupC. The Active Directory server maintains this property. When a distinguished name is added to the member property of another group, that other group's distinguished name is added to this group's memberOf property. |
Each of the following methods can be used to add a member to a group. You can add a member by using the distinguished name of the member or binding to the member object and then adding the member object to the group object.
To add a member that belongs to a downlevel domain to a group in an uplevel domain, use the bindable form of the SID string for the distinguished name. For more information and a code example that shows how to convert an objectSid into a bindable string, see the GetLDAPSidBindStringFromVariantSID example function in Example Code for Converting an objectSid into a Bindable String.
-
Adding Members to a Group by Using IADsGroup
-
The IADsGroup interface can be used to add members to a group by using the IADsGroup.Add method. Bind to and obtain the IADsGroup interface for the group object. Then the IADsGroup.Add method can be used to add members to the group.
-
Adding Members to a Group by Using IDirectoryObject
-
The IDirectoryObject interface can be used to add members to a group by using the IDirectoryObject::SetObjectAttributes method to modify the member attribute for the group. Bind to and obtain the IDirectoryObject interface for the group object. Then use the IDirectoryObject::SetObjectAttributes method to modify the member attribute.
Note
Because the member attribute has multiple values, ensure that you use the ADS_ATTR_APPEND control code to add a distinguished name to the member attribute. Using the ADS_ATTR_UPDATE control code will cause the existing member values to be overwritten.
The IDirectoryObject interface can also be used to add members to a group when the group is created by specifying the members in the pAttributeEntries parameter of the IDirectoryObject::CreateDSObject method.
-
Adding Members to a Group by Using System.DirectoryServices
-
You can use the System.DirectoryServices namespace to add members to a group by using the PropertyValueCollection.Add method on the member property of the group object. For more information, see Setting Properties on Directory Objects.
-
Adding Members to a Group by Using the LDAP API
-
You can use the Lightweight Directory Access Protocol API to add members to a group by using one of the ldap_modify* functions. For more information, see Modifying a Directory Entry.