In AD you need to modify the group objects member attribute. The text below which was extracted from:
http://www.awprofessional.com/articles/article.asp?p=474649&seqNum=6&rl= 1 Explains this. The memberOf attribute is a calculated back link held on the group member object itself. As such, group membership is always managed from the group object side (the forward link) of the relationship and the back link is updated by the system automatically. That is, we can read the memberOf attribute, but we cannot modify it directly. -----Original Message----- From: Giuoco, Aaron [mailto:[EMAIL PROTECTED] Sent: Thursday, September 28, 2006 10:34 AM To: perl-ldap@perl.org Subject: Adding groups to a user account Hi all, I am trying to add groups to a user account on a Windows 2003 Active Directory server. Every time I run my code, I get the following error message: ERROR: 0000209A: SvcErr: DSID-031A0DD5, problem 5003 (WILL_NOT_PERFORM), data 0 Below is the code that triggers this message: ----Begin Code---- my $message = $ldap->modify($entry->dn(), add => { memberOf => $groupsArray }); if ($message->is_error()) { return "ERROR: " . $message->error() . "\n"; } else { return 1; } ----End Code---- The $ldap object is valid and the user object ($entry) is also valid. I tested both of them earlier in the script. $groupsArray is a reference to an array containing the DNs of the groups I am trying to add to this user account. Just to test, I also created a foreach() and tried to add each group DN one at a time. It fails when trying to add the first group. It looks like it won't let me modify the memberOf property for some reason, but that doesn't make since to me as I am connecting as a Domain Admin. Any idea as to what I'm doing wrong? Thanks in advance. ___________________________ Aaron Giuoco Systems Admin Atlantia Offshore Limited e: [EMAIL PROTECTED] ph: 281-899-4385
