3.2.5.12 Group Membership

Settings in Group Membership MUST be set by applying members and membership on a group for each setting.

If a GroupNameMembers, GroupNameMemberOf, or the Value element value is not valid as specified in section 2.2.10, the client MUST stop processing Group Membership settings and log an error.

If the group specified by the Key (section 2.2.10) of the setting is a domain local, global, or universal group, then:

  • For domain local, global and universal groups in the Values (section 2.2.10) of the setting, members and membership MUST be applied by performing external behavior consistent with locally invoking "Perform an LDAP Operation on an ADConnection" task ([MS-ADTS] section 7.6.1.6) with the following parameters for each of the SIDs or Names in the Value (section 2.2.10) in a setting:

    • TaskInputADConnection: An ADConnection handle ([MS-DTYP] section 2.2.2) based on the client's domain name.

    • TaskInputRequestMessage: An LDAP ModifyRequest ([RFC2251] section 4.6) as follows:

      • object: Distinguished name for the group specified by the Key (section 2.2.10) of the setting.

      • The modification sequence has one entry, as follows:

        • operation: add.

        • modification:

          • type: member or memberOf.

          • vals: Distinguished name for the object specified by a SID or name in the Value (section 2.2.10) of the setting.

  • For local groups in the Values (section 2.2.10) of the setting, membership MUST be applied by performing external behavior consistent with locally invoking SamrAddMemberToGroup ([MS-SAMR] section 3.1.5.8.1) for each of the SIDs or names in the Value (section 2.2.10) in a setting:

    • The GroupHandle MUST be set to group handle opened by performing external behavior consistent with locally invoking SamrOpenGroup ([MS-SAMR] section 3.1.5.1.7) using the relative identifier (RID) of the group specified by the Value (section 2.2.10)¬† of the setting.

    • The MemberId MUST be set to the RID of the object specified by the SID or name in the Key (section 2.2.10) of the setting.

    • The Attributes MUST be set to zero.

If the group specified by the Key (section 2.2.10) of the setting is a local group, members MUST be applied by performing external behavior consistent with locally invoking SamrAddMemberToGroup    ([MS-SAMR] section 3.1.5.8.1) for each of the SIDs or names in the Value (section 2.2.10) in setting:

  • The GroupHandle MUST be set to group handle opened by performing external behavior consistent with locally invoking SamrOpenGroup ([MS-SAMR] section 3.1.5.1.7) using the RID of the group specified by the Key (section 2.2.10) of the setting.

  • The MemberId MUST be set to the RID of the object specified by the SID or name in the Value (section 2.2.10) of the setting.

  • The Attributes MUST be set to zero.