<< LDAP - Search for What Groups a Particular User Belongs to | Home | Winsock Error 10054 >>

LDAP - Change Group Membership

In my previous posts about LDAP group membership, I've talked about how to get a list of groups, how to search for a particular groups members, and how to search for what groups a particular user belongs to.  Up next:  how to change group membership.

To add or remove a user from a group, you need to modify the "member" attribute of the group itself.  To do this we'll use the set-ldap cmdlet of NetCmdlets.

Add a user to a group:

To add a user to a group, set the DN parameter of set-ldap to the DN of the group itself.  Then use the -addattribute flag to tell the cmdlet to add the attribute specified by -attrtype and -attrvalue.  -Attrtype in this case will be "member", and -AttrValue will be the DN of the user you want to add to the group.  So to add myself to the Administrators group:

 

PS C:\> set-ldap -server testboy -cred $mycred -dn "CN=Administrators,CN=Builtin,DC=JUNGLE" -attrtype member 
  -attrvalue "CN=Lance Robinson,CN=Users,DC=JUNGLE" -addattribute

Host       : testboy
DN         : CN=Administrators,CN=Builtin,DC=JUNGLE
Successful : True
Type       : member
Value      : CN=Lance Robinson,CN=Users,DC=JUNGLE

Now that I've been added to the group, if I do another search for all the groups that I am a member of, I'll see "Administrators" in the list now: 
PS C:\> get-ldap -server testboy -cred $mycred -dn dc=JUNGLE -searchscope wholesubtree 
  -search "(&(member=CN=Lance Robinson,CN=Users,DC=JUNGLE)(objectcategory=group))"

Host                                                        DN
----                                                        --
testboy                                                     CN=Administrators,CN=Builtin,DC=JUNGLE
testboy                                                     CN=Domain Admins,CN=Users,DC=JUNGLE
testboy                                                     CN=DnsAdmins,CN=Users,DC=JUNGLE


PS C:\>


Remove a user from a group:

Removing a user from a group is the same process - except instead of using the -addattribute flag of the set-ldap cmdlet, I'll use -deleteattribute:

 

PS C:\> set-ldap -server testboy -cred $mycred -dn "CN=Administrators,CN=Builtin,DC=JUNGLE" -attrtype member 
  -attrvalue "CN=Lance Robinson,CN=Users,DC=JUNGLE" -deleteattribute

Host       : testboy
DN         : CN=Administrators,CN=Builtin,DC=JUNGLE
Successful : True
Type       : member
Value      : CN=Lance Robinson,CN=Users,DC=JUNGLE

PS C:\>

Now that "CN=Lance Robinson" has been removed from the member attribute of the group itself, I am no longer a member of the Administrators group: 
PS C:\> get-ldap -server testboy -cred $mycred -dn dc=JUNGLE -searchscope wholesubtree 
  -search "(&(member=CN=Lance Robinson,CN=Users,DC=JUNGLE)(objectcategory=group))"


Host                                                        DN
----                                                        --
testboy                                                     CN=Domain Admins,CN=Users,DC=JUNGLE
testboy                                                     CN=DnsAdmins,CN=Users,DC=JUNGLE

PS C:\>

Print | posted on Monday, August 06, 2007 10:22 AM

Feedback

# re: LDAP - Change Group Membership

Left by Girish Bapat at 10/22/2008 2:31 AM
Gravatar Hi,
Thank you for sharing valuable information.
I wish to know, in my code I have added that following attributes types for users to be eligible to become member of any ldap group.
member,uniqueMember,memberUid.

I wish to know whether above attribute types are with some standards or mandatory for any LDAP or AD server for members to add themselves in a group.

In other words, if my LDAP server group does not have these attribute types and values then any user which would be there in group will not be considered as member unless any of above value is set.
Plese let me know the same.

Thank you once again,
Girish

# re: LDAP - Change Group Membership

Left by Dinesh N M at 10/22/2011 9:13 AM
Gravatar Dear Team,

Thank you very much for sharing the crucial information Ijust want to know that how to remove user from group in LDAP byusing .ldif file.

Please give me script for the same isue.

Warm Regards,
Dinesh N M

Your comment:





 
 

Copyright © Lance Robinson

Design by Bartosz Brzezinski

Design by Phil Haack Based On A Design By Bartosz Brzezinski