Three operations can be performed regarding group membership. It is possible to (1) add Windows users to a Windows group, to (2) delete Windows users from Windows groups, and to (3) list the Windows users that are members of a Windows group.

To avoid confusion, it makes sense to check group membership before attempting to make any changes. The getent group will list UNIX/Linux group membership. UNIX/Linux group members are seen also as members of a Windows group that has been mapped using the net groupmap command (see ???). The following list of UNIX/Linux group membership shows that the user ajt is a member of the UNIX/Linux group Engineers.

root#  getent group
...
Domain Admins:x:512:root
Domain Users:x:513:jht,lct,ajt,met,vlendecke
Domain Guests:x:514:
Print Operators:x:550:
Backup Operators:x:551:
Replicator:x:552:
Domain Computers:x:553:
Engineers:x:1000:jht,ajt

The UNIX/Linux groups have been mapped to Windows groups, as is shown here:

root#  net groupmap list
Domain Admins (S-1-5-21-72630-412605-116429-512) -> Domain Admins
Domain Users (S-1-5-21-72630-412605-116429-513) -> Domain Users
Domain Guests (S-1-5-21-72630-412605-116429-514) -> Domain Guests
Print Operators (S-1-5-21-72630-412605-116429-550) -> Print Operators
Backup Operators (S-1-5-21-72630-412605-116429-551) -> Backup Operators
Replicator (S-1-5-21-72630-412605-116429-552) -> Replicator
Domain Computers (S-1-5-21-72630-412605-116429-553) -> Domain Computers
Engineers (S-1-5-21-72630-412605-116429-3001) -> Engineers

Given that the user ajt is already a member of the UNIX/Linux group and, via the group mapping, a member of the Windows group, an attempt to add this account again should fail. This is demonstrated here:

root#  net rpc group addmem "MIDEARTH\Engineers" ajt -Uroot%not24get
Could not add ajt to MIDEARTH\Engineers: NT_STATUS_MEMBER_IN_GROUP

This shows that the group mapping between UNIX/Linux groups and Windows groups is effective and transparent.

To permit the user ajt to be added using the net rpc group utility, this account must first be removed. The removal and confirmation of its effect is shown here:

root#  net rpc group delmem "MIDEARTH\Engineers" ajt -Uroot%not24get
root#  getent group Engineers
Engineers:x:1000:jht
root#  net rpc group members Engineers -Uroot%not24get
MIDEARTH\jht

In this example both at the UNIX/Linux system level, the group no longer has the ajt as a member. The above also shows this to be the case for Windows group membership.

The account is now added again, using the net rpc group utility:

root#  net rpc group addmem "MIDEARTH\Engineers" ajt -Uroot%not24get
root#  getent group Engineers
Engineers:x:1000:jht,ajt
root#  net rpc group members Engineers -Uroot%not24get
MIDEARTH\jht
MIDEARTH\ajt

In this example the members of the Windows Domain Users account are validated using the net rpc group utility. Note the this contents of the UNIX/Linux group was shown four paragraphs earlier. The Windows (domain) group membership is shown here:

root#  net rpc group members "Domain Users" -Uroot%not24get
MIDEARTH\jht
MIDEARTH\lct
MIDEARTH\ajt
MIDEARTH\met
MIDEARTH\vlendecke

This express example shows that Windows group names are treated by Samba (as with MS Windows) in a case-insensitive manner:

root#  net rpc group members "DomAiN USerS" -Uroot%not24get
MIDEARTH\jht
MIDEARTH\lct
MIDEARTH\ajt
MIDEARTH\met
MIDEARTH\vlendecke