2.7.2.10 Modify Group Member List - Client Application
In this use case, an existing security group is used to control access to directory resources. An administrator wants to modify the member list of that group so that a new account can access the controlled resources. The administrator starts a client application to modify the member list for an existing group. The client application establishes a connection to the Active Directory system.
Goal
Modify the member list of an existing group.
Context of Use
An administrator wants to add or delete members to a security group.

Figure 23: Use case diagram for modifying the member list of a group
Actors
Client application
The client application is the primary actor. It is the entity that prepares the connection to the directory server, submits the request to modify the member list of a group, and relays the response to the administrator.
Windows Authentication Services
Windows Authentication Services [MS-AUTHSOD] is the supporting actor that authenticates the administrator's identity so that the Active Directory system can make access-control decisions.
Directory server
The directory server is the supporting actor that receives the request and modifies the list.
Stakeholders
Administrator
The administrator initiates operations on an account such as create, reset, change, query for group members, create a security group, modify the group member list, and delete. The administrator primarily wants to know that the operations are successfully completed or receive an error message if they failed.
Directory
The directory is the entity that contains the list being modified.
Preconditions
The system-wide preconditions, as described in section 2.6, are satisfied. The Active Directory system completes initialization, as described in section 2.6.
The client application has connectivity to a directory server to which it can establish a connection (if it is not already connected) and send the request.
The security group that is being modified exists.
Main Success Scenario
Trigger: The administrator provides the group name for the group to be modified and the updates for the group's member list, along with credentials, as input to the client application, and invokes the operation that modifies the member list of a group.
The client application establishes a connection to the directory server. Windows Authentication Services uses the supplied credentials to authenticate the client application ([MS-AUTHSOD] section 2).
The client application sends a request to the directory server to modify the member list of the specified group. The updates for the member list are included in the request.
The directory server verifies that the credentials supplied through the client application have the necessary access-control rights to complete the operation ([MS-ADTS] section 5.1.3).
The directory server verifies that the new member list satisfies the constraints described in [MS-SAMR] section 3.1.1.8.9.
The directory object that represents the group is modified with the new member list. Additional processing might occur, as described in [MS-ADTS] sections 3.1.1.5.1 and 3.1.1.5.3, and [MS-SAMR] section 3.1.1.8.9.
The directory server sends a response to the client application that the member list has been modified.
Postcondition
The group's member list is modified.
Extensions
If the credentials supplied through the client application have insufficient access-control rights to modify the member list of the group:
1-4. Same as Main Success Scenario.
5. The directory server sends a response to the client application that the supplied credentials have insufficient access-control rights to modify the member list of the group.
If the member list supplied through the client application does not satisfy the constraints ([MS-SAMR] section 3.1.1.8.9):
1-5. Same as Main Success Scenario.
6. The directory server sends a response to the client application that the specified member list does not meet the constraints.