Can we use etautil command to add or update Endpoint group (Active Directory Security Group) of an Active Directory account?
Identity Manager 14.x
Yes.
First of all, please make sure the Security Groups in Active Directory (AD) Endpoint have been explored. So when you launch Provisioning Manager, select the AD Endpoint and go to its Content.., you can see the groups.
In my lab, I have "SGUsers" group under Home > Users and "VIPNew" and "VIPUsed" groups under NorthRyde > NewComers. See below.
Then I have created a new user, i.e. "sguser100 user" and assign AD Provisioning Role. The AD Provisioning Role has Account Template that specifies the user to belong to "SGUser" group.
The user has been provisioned AD account and that account belongs to SGUsers group.
After that I have run the following etautil command
etautil -d im -u etaadmin -p Password01 update "eTADSOrgUnitName=Users,eTADSOrgUnitName=Home,eTADSDirectoryName=sanwi06-2k16-ad_EP,eTNamespaceName=ActiveDirectory,dc=im" eTADSAccount eTADSAccountName="sguser100 user" to +eTADSmemberOf="CN=VIPUsed,OU=NewComers,OU=NorthRyde,DC=wslab2,DC=local";
Please notice the + sign prefix added before eTADSmemberOf=.... As eTADSmemberOf is multi values attribute this command will add "sguser100 user" another group. The command will not remove "sguser100 user" from "SGUsers" group that the user already belongs to.
After that, if I run the following etautil command
etautil -d im -u etaadmin -p Password01 update "eTADSOrgUnitName=Users,eTADSOrgUnitName=Home,eTADSDirectoryName=sanwi06-2k16-ad_EP,eTNamespaceName=ActiveDirectory,dc=im" eTADSAccount eTADSAccountName="sguser100 user" to -eTADSmemberOf="CN=VIPUsed,OU=NewComers,OU=NorthRyde,DC=wslab2,DC=local";
Please notice the - sign prefix added before eTADSmemberOf=.... The command will remove "sguser100 user" from "VIPUsed" group but not from other group(s) the user already belongs to.
If you don't prefix eTADSmemberOf=..., that means *replace*, all group memberships will be removed and replace to only "VIPUsed" group.
Please be informed that if I removed "sguser100 user" from "SGUsers" group using etautil and then I run Synchronization > Synchronize User with Account Templates, I will then restore "sguser100 user" to belong to "SGUsers" group.