Get Active Directory "Write Members" WriteProperty

A messaging colleague asked how to check which principals have the Write Members permission on distribution lists. I sent him a sample of how to query the WriteProperty for the Member property of a distribution group imaginatively called, er, DistributionGroup...

 

 

 
#Get Member WriteProperty 
$MemberGuid = "bf9679c0-0de6-11d0-a285-00aa003049e2"

(Get-Acl -Path "AD:CN=Distribution Group,OU=Groups").access | 
Where-Object {($_.ActiveDirectoryRights -eq "WriteProperty") -and ($_.ObjectType -eq $MemberGuid)} |
Format-Table IdentityReference,AccessControlType,IsInherited,ActiveDirectoryRights,@{n="Property";e={((Get-Variable -Name MemberGuid).Name -Split "Guid")[0]}}

 

Let's pick this apart...

First up, set up a variable to contain the GUID that is associated with the Write Members property permission - $MemberGuid.

Now, use Get-Acl to get the access property values via the AD: PsDrive.

Then, use Where-Object to see if each discovered access control entry (ACE) right is WriteProperty and also if the ACE's ObjectType matches the Members object type (identified by a Schema ID GUID). If both of these conditions are true then we get an object representing the matched ACE.