Geeks With Blogs

News

qrcode

Lance Robinson

Create Your Badge

Lance Robinson is a software engineer in Durham, Chapel Hill, Raleigh, and surrounding areas. More about Lance.

 Subscribe


Lance's TextBox » About Me » My Resume »Twitter

In my previous posts about LDAP group membership, I've talked about how to get a list of groups, how to search for a particular groups members, and how to search for what groups a particular user belongs to.  Up next:  how to change group membership.

To add or remove a user from a group, you need to modify the "member" attribute of the group itself.  To do this we'll use the set-ldap cmdlet of NetCmdlets.

Add a user to a group:

To add a user to a group, set the DN parameter of set-ldap to the DN of the group itself.  Then use the -addattribute flag to tell the cmdlet to add the attribute specified by -attrtype and -attrvalue.  -Attrtype in this case will be "member", and -AttrValue will be the DN of the user you want to add to the group.  So to add myself to the Administrators group:

 

PS C:\> set-ldap -server testboy -cred $mycred -dn "CN=Administrators,CN=Builtin,DC=JUNGLE" -attrtype member 
-attrvalue "CN=Lance Robinson,CN=Users,DC=JUNGLE" -addattribute Host : testboy DN : CN=Administrators,CN=Builtin,DC=JUNGLE Successful : True Type : member Value : CN=Lance Robinson,CN=Users,DC=JUNGLE

Now that I've been added to the group, if I do another search for all the groups that I am a member of, I'll see "Administrators" in the list now:
PS C:\> get-ldap -server testboy -cred $mycred -dn dc=JUNGLE -searchscope wholesubtree 
-search "(&(member=CN=Lance Robinson,CN=Users,DC=JUNGLE)(objectcategory=group))" Host DN ---- -- testboy CN=Administrators,CN=Builtin,DC=JUNGLE testboy CN=Domain Admins,CN=Users,DC=JUNGLE testboy CN=DnsAdmins,CN=Users,DC=JUNGLE PS C:\>


Remove a user from a group:

Removing a user from a group is the same process - except instead of using the -addattribute flag of the set-ldap cmdlet, I'll use -deleteattribute:

 

PS C:\> set-ldap -server testboy -cred $mycred -dn "CN=Administrators,CN=Builtin,DC=JUNGLE" -attrtype member 
-attrvalue "CN=Lance Robinson,CN=Users,DC=JUNGLE" -deleteattribute Host : testboy DN : CN=Administrators,CN=Builtin,DC=JUNGLE Successful : True Type : member Value : CN=Lance Robinson,CN=Users,DC=JUNGLE PS C:\>

Now that "CN=Lance Robinson" has been removed from the member attribute of the group itself, I am no longer a member of the Administrators group:
PS C:\> get-ldap -server testboy -cred $mycred -dn dc=JUNGLE -searchscope wholesubtree 
-search "(&(member=CN=Lance Robinson,CN=Users,DC=JUNGLE)(objectcategory=group))" Host DN ---- -- testboy CN=Domain Admins,CN=Users,DC=JUNGLE testboy CN=DnsAdmins,CN=Users,DC=JUNGLE PS C:\>

Posted on Monday, August 6, 2007 10:22 AM PowerShell | Back to top


Comments on this post: LDAP - Change Group Membership

# re: LDAP - Change Group Membership
Requesting Gravatar...
Hi,
Thank you for sharing valuable information.
I wish to know, in my code I have added that following attributes types for users to be eligible to become member of any ldap group.
member,uniqueMember,memberUid.

I wish to know whether above attribute types are with some standards or mandatory for any LDAP or AD server for members to add themselves in a group.

In other words, if my LDAP server group does not have these attribute types and values then any user which would be there in group will not be considered as member unless any of above value is set.
Plese let me know the same.

Thank you once again,
Girish
Left by Girish Bapat on Oct 22, 2008 2:31 AM

# re: LDAP - Change Group Membership
Requesting Gravatar...
Dear Team,

Thank you very much for sharing the crucial information Ijust want to know that how to remove user from group in LDAP byusing .ldif file.

Please give me script for the same isue.

Warm Regards,
Dinesh N M
Left by Dinesh N M on Oct 22, 2011 9:13 AM

Your comment:
 (will show your gravatar)


Copyright © Lance Robinson | Powered by: GeeksWithBlogs.net