Technically you could do this with a Script/SDK Script activity in a workflow, however, you'll need an account that has sufficient rights in AD to manage group memberships, so it is important to be mindful of the security implications (i.e., who has access to Workflow).
I would say that, in general, giving the Workflow service account permissions in AD preferable to adding plain text credentials inside the workflow script code; either way security is an important consideration here (i.e., who has access to view or publish/edit workflows).
Another thing to keep in mind is that when you run a Workflow Script from the editor for testing, it is running under your account, but when it executes in a workflow instance it will be running under the service account used by Workflow.
As a result, you may see different results in testing vs running the workflow (i.e., working in one and not the other, or getting different results in one vs the other) when you're not specifying credentials in the code that connects to the DC.
I won't get into the actual code because it is probably going to vary based on your exact needs, and there's some pretty extensive resources about this available online.
The two different approaches you want to look into are:
- Using System.DirectoryServices and DirectoryEntry objects
- Using System.DirectoryServices.AccountManagement and Principal objects.
The second is probably ideal for your particular scenario although it does have important limitations if you start trying to get into more complex AD interactions.
Howto: (Almost) Everything In Active Directory via C# - CodeProject
System.DirectoryServices.AccountManagement Namespace | Microsoft Learn
c# - Adding and removing users from Active Directory groups in .NET - Stack Overflow