3.2.2.4.2 Updating a Group Entry
Parameters:
Group Entry [in]: An rpcGroup class in Active Directory to be modified or deleted.
Action [in]: Indicates if the Group Entry is to be modified or deleted.
Status [out]: Indicates to the caller if the group entry update was successful or if it failed with a specific status code.
Group entries MUST be represented by using the rpcGroup class in Active Directory. If Group Entry is set to NULL or not provided, the server MUST fail the method and return RPC_S_ENTRY_NOT_FOUND.
When a group entry is modified by adding or removing a member, the following actions MUST be taken.
The server MUST locate a writable domain controller for the domain in which the RPC locator server is joined by invoking the DsrGetDcNameEx2 method on the local Netlogon server [MS-NRPC] and specifying the following parameters:
ComputerName = NULL
AccountName = NULL
AllowableAccountControlBits = 0
DomainName = NULL
DomainGuid = NULL
SiteName = NULL
Flags = (DS_WRITABLE_FLAG | DS_DS_FLAG) ([MS-ADTS] (section 6.3.1.2)).
Upon success, the server uses the domain controller specified in the DomainControllerName field of the returned DomainControllerInfo parameter of the subsequent operations. If the DsrGetDcNameEx2 method fails, the server MUST fail this method and return the status code to the caller.
The server uses a default timeout value for LDAP operations and no retries are required.
The server locator forms the entry FQDN, as specified in section 3.1.1.1, and issues an LDAP query to retrieve the corresponding Active Directory object ([MS-ADTS] section 3.1.1.4).
The server locator MUST create or modify the Active Directory object as follows:
If an Active Directory object exists with the entry FQDN, the server locator MUST verify that the Active Directory object represents a group entry by verifying that the Active Directory object is of class rpcGroup.
If the Active Directory object exists with the entry FQDN and is of class rpcServer, and if its description matches the string Created Entry, the Active Directory object MUST be treated as an empty name service entry, as specified in section 3.2.2.4.4. The Active Directory object MUST matches both criteria. The server locator MUST delete the Active Directory object and re-create an Active Directory object of class rpcGroup in its place. The server locator MUST change the description of the Active Directory object to something other than Created Entry.
If no Active Directory object exists for the entry FQDN, the server locator MUST create a new object of class rpcGroup to represent the group entry.
If an Active Directory object exists for the entry FQDN, but does not have class rpcGroup, the server locator MUST return RPC_S_ENTRY_TYPE_MISMATCH.
The server locator MUST compare information in this RPC name service modification with the data already in Active Directory. If there are any differences, the server locator MUST modify the new or preexisting group entry as follows:
The server locator MUST update group members to include any represented in the rpcNsGroup attribute.
If the Action parameter indicates that the group entry is to be deleted, the server locator MUST delete the Active Directory object retrieved in step 1 earlier in this section ([MS-ADTS] section 3.1.1.5.5, Delete Operation). If the Group Entry is not found, the server MUST return error RPC_S_ENTRY_NOT_FOUND.
Any errors encountered from lower-level protocols (e.g., LDAP) are returned to the caller. If the operation is successful status code to the higher-layer protocol (RPC_S_OK).