Re: Adding groups to a user account

Thu, 28 Sep 2006 18:38:09 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


AD doesn't keep track of group membership on the user object.  It
does a little sleight-of-hand in the background when you query a
user object to show you what groups it's it.  However, there's no
actual attribute on the user for that.  This can most easily be
demonstrated if you have a multi-domain forest.  If a user is in
a group in another domain, looking at memberOf on that user will
not list those groups.

To add a user to a group in AD you need to modify the member attribute
on the group object.  If you have the LDAP object of the group in
$group and the user's DN in $userDN, then

  $ldap->modify($group->dn(), add => { member => [ $UserDN ] } );

will work.

On Sep 28, 2006, at 10:34 AM, Giuoco, Aaron wrote:


Hi all,

I am trying to add groups to a user account on a Windows 2003 Active
Directory server.  Every time I run my code, I get the following error
message:
ERROR: 0000209A: SvcErr: DSID-031A0DD5, problem 5003 (WILL_NOT_PERFORM), 
data 0

Below is the code that triggers this message:

----Begin Code----
my $message = $ldap->modify($entry->dn(), add => { memberOf =>
$groupsArray });
if ($message->is_error()) {
    return "ERROR: " . $message->error() . "\n";
} else {
    return 1;
}
----End Code----
The $ldap object is valid and the user object ($entry) is also valid. I tested both of them earlier in the script. $groupsArray is a reference to an array containing the DNs of the groups I am trying to add to this 
user account.
Just to test, I also created a foreach() and tried to add each group DN 
one at a time.  It fails when trying to add the first group.  It looks
like it won't let me modify the memberOf property for some reason, but
that doesn't make since to me as I am connecting as a Domain Admin.

Any idea as to what I'm doing wrong?  Thanks in advance.

___________________________
Aaron Giuoco
Systems Admin
Atlantia Offshore Limited
e: [EMAIL PROTECTED]
ph: 281-899-4385



- --
Glenn Lamb
Systems Administrator
[EMAIL PROTECTED]
http://www.stanford.edu/~glamb/gpg.txt
CE4B 7186 D8FD 317F 8364  12CD 02BB ED17 F3E8 555C



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (Darwin)

iD8DBQFFHBCHArvtF/PoVVwRAorAAKDRpk2+KnJrBblmjD21UeuRVYDwsACgmcb7
MLCIFqU5LTAZeE1x2tN9Jz8=
=TYS5
-----END PGP SIGNATURE-----

Reply via email to