Moving and Renaming Computers with Active Directory - Add or Remove a Computer Account from a Group
(Page 4 of 4 )
Problem
You want to add or remove a computer account from an Active Directory security group.
Solution
Using a graphical user interface
Open the ADUC snap-in.
If you need to change domains, right-click on “Active Directory Users and Computers” in the left pane, select “Connect to Domain,” enter the domain name, and click OK.
In the left pane, browse to the parent container of the objects you want to modify.
In the right pane, highlight each object you want to modify, right-click, and select Properties.
On the Member of tab, click Add.
Click the group to which you want to add the computer, and then click Add. To add the computer to more than one group, press Ctrl while selecting the groups you want to add the computer to, and then click Add.
To remove a group, select the group object and click Remove.
Click OK to finish.
Using a command-line interface
To add a computer object to a group, use the following syntax:
> admod –b "<GroupDN>" member:+:"<ComputerDN>"
To remove an object, replace:+:with:-:in the previous syntax.
Using VBScript
' This code adds and removes a computer object from a group.
' ------ SCRIPT CONFIGURATION ------
strGroupDN = "<GroupDN>" ' e.g. cn=SalesGroup,ou=Groups,dc=rallencorp,dc=com
strComputerDN = "<ComputerDN>" ' e.g. cn=Fin101,cn=Computers,dc=rallencorp,dc=com
' ------ END CONFIGURATION ---------
set objGroup = GetObject("LDAP://" & strGroupDN)
' Add a member
objGroup.Add("LDAP://" & strComputerDN)
' Remove a member
objGroup.Remove("LDAP://" & strComputerDN)
Discussion
In Active Directory, both user and computer objects are security principals that can be assigned rights and permissions within a domain. As such, computer objects can be added to or removed fromgroupobjects to make for simpler resource administration. You can make this change through ADUC or ADSI Edit, or by manually editing thememberattribute of the appropriate group object.
See Also
MSDN: NT-Group-Members attribute [AD Schema] and MSDN: Member Attribute [AD Schema]
Please check back next week for the continuation of this article.
| DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware. |
|
 This article is excerpted from chapter eight of the Active Directory Cookbook, Second Edition, written by Robbie Allen and Laura E. Hunter (O'Reilly; ISBN: 059610202X). Check it out today at your favorite bookstore. Buy this book now.
|
|
