Platform SDK: Active Directory, ADSI, and Directory Services

Adding Domain Groups to Machine Local Groups on Member Servers and Windows 2000 Professional

When a member server or a computer running Windows NT® Workstation or Windows® 2000 Professional is a member of a Windows 2000 domain, the groups or users in the domain can be used in the computer's local security database to grant rights to that group on that particular computer.

When managing groups on a Windows 2000 domain using ADSI, you use the LDAP provider. When managing groups on member servers and a computer running Windows NT Workstation/Windows 2000 Professional, you use the WinNT provider.

This means you need to bind at least once to each provider: 1) Bind to the LDAP provider to retrieve the ADsPath to the group or user you want to add to a group in the local database and 2) Bind to the WinNT provider to add that user or group to a machine local group.

Note  Only machine local groups can be created on member servers and Windows 2000 Professional. However, those machine local groups can contain 1) Universal and global groups from the forest containing the domain that the computer is a member of or 2) Domain local groups from that computer's domain 3) Users from any domain in the forest.

To enumerate the machine local groups on a member server or computer running Windows 2000 Professional

  1. Bind to the group you want to add a member to using the following rules:
    1. Use an account that has sufficient rights to access that computer.
    2. Use the following binding string format using the WinNT provider, computer name, and an extra parameter to tell ADSI that it is binding to a computer:

      WinNT://sComputerName, computer

      where sComputerName is the name of the computer group you want to add a member to.

      In the binding string, the ",computer" parameter tells ADSI that it is binding to a computer. ADSI makes this information available to the WinNT provider's parser so that it can skip some ambiguity-resolution queries to determine what type of object you are binding to. This can save the user a 5-20 second wait for the ambiguity to be resolved.

    3. Bind to the IADsContainer interface of the computer.
    4. Use IADsContainer::GetObject to bind to the group object and specify "localGroup" as the class and the group name as the name of the object.
  2. Get the ADsPath of the user or group to add to the group. You should bind to the object using the WinNT provider, get an IADs pointer, and use the IADs::get_ADsPath property method to get the ADsPath of the object.

    If the user or group is in the current user's domain, use serverless binding and rootDSE to bind to the domain, get an IADs pointer, use the IADs::Get method to retrieve the dc attribute (this is the domain name), and use the dc value to bind to the domain using a binding string with the following format:

    WinNT://sDomainName, domain

    where sDomainName is the name of the domain containing the user or group you want to add to the machine local group.

    Then, use IADsContainer::GetObject to bind to the user or group object and use the IADs::get_ADsPath method to get the ADsPath of the object.

  3. Add the user or group to the group, using the IADsGroup::Add method.