"net rpc group addmem/delmem" ignores the "managedBy" group attribute.
Typically, the AD ACL group has the following attributes:
The “managedBy“ attribute refers to another ACL group that can manage this group (i.e. add/remove users). It looks like "net rpc group addmem/delmem" only makes an LDAP modify request to the AD, so unless you have LDAP write access (e.g. Domain Admin) you won’t be able to modify the group. In other words, it ignores the special “managedBy” attribute.
"net rpc group" does not use LDAP, it uses the SAMR rpc pipe. But even if we were using LDAP, I don't see why addmem/delmem would have to take care of the managed-by attribute. Metze, correct me if I'm wrong here please....