Then I have created a new user, i.e. "sguser100 user" and assign AD Provisioning Role. The AD Provisioning Role has Account Template that specifies the user to belong to "SGUser" group.

The user has been provisioned AD account and that account belongs to SGUsers group.

After that I have run the following etautil command

etautil -d im -u etaadmin -p Password01 update "eTADSOrgUnitName=Users,eTADSOrgUnitName=Home,eTADSDirectoryName=sanwi06-2k16-ad_EP,eTNamespaceName=ActiveDirectory,dc=im" eTADSAccount eTADSAccountName="sguser100 user" to +eTADSmemberOf="CN=VIPUsed,OU=NewComers,OU=NorthRyde,DC=wslab2,DC=local";

Please notice the + sign prefix added before eTADSmemberOf=.... As eTADSmemberOf is multi values attribute this command will add "sguser100 user" another group. The command will not remove "sguser100 user" from "SGUsers" group that the user already belongs to.

After that, if I run the following etautil command

etautil -d im -u etaadmin -p Password01 update "eTADSOrgUnitName=Users,eTADSOrgUnitName=Home,eTADSDirectoryName=sanwi06-2k16-ad_EP,eTNamespaceName=ActiveDirectory,dc=im" eTADSAccount eTADSAccountName="sguser100 user" to -eTADSmemberOf="CN=VIPUsed,OU=NewComers,OU=NorthRyde,DC=wslab2,DC=local";

Please notice the - sign prefix added before eTADSmemberOf=.... The command will remove "sguser100 user" from "VIPUsed" group but not from other group(s) the user already belongs to.

If you don't prefix eTADSmemberOf=..., that means *replace*, all group memberships will be removed and replace to only "VIPUsed" group.

Please be informed that if I removed "sguser100 user" from "SGUsers" group using etautil and then I run Synchronization > Synchronize User with Account Templates, I will then restore "sguser100 user" to belong to "SGUsers" group.