posts - 598 , comments - 849 , trackbacks - 247

My Links

News

qrcode

Lance Robinson

Create Your Badge

Lance Robinson is a software engineer in Durham, Chapel Hill, Raleigh, and surrounding areas. More about Lance.

 Subscribe

Tag Cloud

Archives

Post Categories

Blogs

Miscellanous

Noteworthy Stuff

Popular Posts

LDAP - Change Group Membership

In my previous posts about LDAP group membership, I've talked about how to get a list of groups, how to search for a particular groups members, and how to search for what groups a particular user belongs to.  Up next:  how to change group membership.

To add or remove a user from a group, you need to modify the "member" attribute of the group itself.  To do this we'll use the set-ldap cmdlet of NetCmdlets.

Add a user to a group:

To add a user to a group, set the DN parameter of set-ldap to the DN of the group itself.  Then use the -addattribute flag to tell the cmdlet to add the attribute specified by -attrtype and -attrvalue.  -Attrtype in this case will be "member", and -AttrValue will be the DN of the user you want to add to the group.  So to add myself to the Administrators group:

 

PS C:\> set-ldap -server testboy -cred $mycred -dn "CN=Administrators,CN=Builtin,DC=JUNGLE" -attrtype member 
-attrvalue "CN=Lance Robinson,CN=Users,DC=JUNGLE" -addattribute Host : testboy DN : CN=Administrators,CN=Builtin,DC=JUNGLE Successful : True Type : member Value : CN=Lance Robinson,CN=Users,DC=JUNGLE

Now that I've been added to the group, if I do another search for all the groups that I am a member of, I'll see "Administrators" in the list now:
PS C:\> get-ldap -server testboy -cred $mycred -dn dc=JUNGLE -searchscope wholesubtree 
-search "(&(member=CN=Lance Robinson,CN=Users,DC=JUNGLE)(objectcategory=group))" Host DN ---- -- testboy CN=Administrators,CN=Builtin,DC=JUNGLE testboy CN=Domain Admins,CN=Users,DC=JUNGLE testboy CN=DnsAdmins,CN=Users,DC=JUNGLE PS C:\>


Remove a user from a group:

Removing a user from a group is the same process - except instead of using the -addattribute flag of the set-ldap cmdlet, I'll use -deleteattribute:

 

PS C:\> set-ldap -server testboy -cred $mycred -dn "CN=Administrators,CN=Builtin,DC=JUNGLE" -attrtype member 
-attrvalue "CN=Lance Robinson,CN=Users,DC=JUNGLE" -deleteattribute Host : testboy DN : CN=Administrators,CN=Builtin,DC=JUNGLE Successful : True Type : member Value : CN=Lance Robinson,CN=Users,DC=JUNGLE PS C:\>

Now that "CN=Lance Robinson" has been removed from the member attribute of the group itself, I am no longer a member of the Administrators group:
PS C:\> get-ldap -server testboy -cred $mycred -dn dc=JUNGLE -searchscope wholesubtree 
-search "(&(member=CN=Lance Robinson,CN=Users,DC=JUNGLE)(objectcategory=group))" Host DN ---- -- testboy CN=Domain Admins,CN=Users,DC=JUNGLE testboy CN=DnsAdmins,CN=Users,DC=JUNGLE PS C:\>

Print | posted on Monday, August 6, 2007 10:22 AM | Filed Under [ PowerShell ]

Feedback

Gravatar

# re: LDAP - Change Group Membership

Hi,
Thank you for sharing valuable information.
I wish to know, in my code I have added that following attributes types for users to be eligible to become member of any ldap group.
member,uniqueMember,memberUid.

I wish to know whether above attribute types are with some standards or mandatory for any LDAP or AD server for members to add themselves in a group.

In other words, if my LDAP server group does not have these attribute types and values then any user which would be there in group will not be considered as member unless any of above value is set.
Plese let me know the same.

Thank you once again,
Girish
10/22/2008 2:31 AM | Girish Bapat
Gravatar

# re: LDAP - Change Group Membership

Dear Team,

Thank you very much for sharing the crucial information Ijust want to know that how to remove user from group in LDAP byusing .ldif file.

Please give me script for the same isue.

Warm Regards,
Dinesh N M
10/22/2011 9:13 AM | Dinesh N M
Post A Comment
Title:
Name:
Email:
Comment:
Verification:
 

Powered by: