"net rpc group addmem/delmem" ignores the "managedBy" group attribute. Typically, the AD ACL group has the following attributes: cn description distinguishedName dSCorePropagationData gidNumber groupType info instanceType managedBy member name objectCategory objectClass objectGUID objectSid sAMAccountName sAMAccountType uSNChanged uSNCreated whenChanged whenCreated The “managedBy“ attribute refers to another ACL group that can manage this group (i.e. add/remove users). It looks like "net rpc group addmem/delmem" only makes an LDAP modify request to the AD, so unless you have LDAP write access (e.g. Domain Admin) you won’t be able to modify the group. In other words, it ignores the special “managedBy” attribute. Thanks, -- Abraham
"net rpc group" does not use LDAP, it uses the SAMR rpc pipe. But even if we were using LDAP, I don't see why addmem/delmem would have to take care of the managed-by attribute. Metze, correct me if I'm wrong here please....