Platform SDK: Active Directory, ADSI, and Directory Services |
When a member server or a computer running Windows NT® Workstation or Windows® 2000 Professional is a member of a Windows 2000 domain, the groups or users in the domain can be used in the computer's local security database to grant rights to that group on that particular computer.
When managing groups on a Windows 2000 domain using ADSI, you use the LDAP provider. When managing groups on member servers and a computer running Windows NT Workstation/Windows 2000 Professional, you use the WinNT provider.
This means you need to bind at least once to each provider: 1) Bind to the LDAP provider to retrieve the ADsPath to the group or user you want to add to a group in the local database and 2) Bind to the WinNT provider to add that user or group to a machine local group.
Note Only machine local groups can be created on member servers and Windows 2000 Professional. However, those machine local groups can contain 1) Universal and global groups from the forest containing the domain that the computer is a member of or 2) Domain local groups from that computer's domain 3) Users from any domain in the forest.
To enumerate the machine local groups on a member server or computer running Windows 2000 Professional
WinNT://sComputerName, computer
where sComputerName is the name of the computer group you want to add a member to.
In the binding string, the ",computer" parameter tells ADSI that it is binding to a computer. ADSI makes this information available to the WinNT provider's parser so that it can skip some ambiguity-resolution queries to determine what type of object you are binding to. This can save the user a 5-20 second wait for the ambiguity to be resolved.
If the user or group is in the current user's domain, use serverless binding and rootDSE to bind to the domain, get an IADs pointer, use the IADs::Get method to retrieve the dc attribute (this is the domain name), and use the dc value to bind to the domain using a binding string with the following format:
WinNT://sDomainName, domain
where sDomainName is the name of the domain containing the user or group you want to add to the machine local group.
Then, use IADsContainer::GetObject to bind to the user or group object and use the IADs::get_ADsPath method to get the ADsPath of the object.