Jaa


Manager can update membership list Part 1

Sometimes trying to automate something simple as selecting a checkbox is no simple task. This is the first part of a series of posts on how to select the 'Manager can update membership list' checkbox for an AD group in PowerShell. The first part will give you the PowerShell script that will automate this process. The continuation of this post will go over the script in more detail and show you the steps that led up to this solution.

 

Below is the GUI used to select the user to manage the group and whether that user is allowed to update the membership list. Setting the manger is the easy part, but selecting the checkbox can be a little more complicated.

 

 

 

The script below will set the user as the manager and allow them to update the membership list. There will be more to come in the next posts to look at the script in fine detail.

 

<#

      look at adsi-edit for this guid

     Configuration -> Extended Rights -> Self-Membership

     Open Self-Membership and the guid will be under rightsGuid

#>

$guid =[guid]'bf9679c0-0de6-11d0-a285-00aa003049e2'

$user = New-Object System.Security.Principal.NTAccount("contoso\jsmith")

$sid =$user.translate([System.Security.Principal.SecurityIdentifier])

$acl = Get-Acl ad:"cn=testgroup,cn=users,dc=contoso,dc=com"

$ctrl =[System.Security.AccessControl.AccessControlType]::Allow

$rights =[System.DirectoryServices.ActiveDirectoryRights]::WriteProperty -bor[System.DirectoryServices.ActiveDirectoryRights]::ExtendedRight

$intype =[System.DirectoryServices.ActiveDirectorySecurityInheritance]::None

 

#set the ManagedBy property

$group =[adsi]'LDAP://cn=testgroup,cn=users,dc=contoso,dc=com'

$group.put("ManagedBy","CN=jillsmith,OU=TestOU,DC=Contoso,DC=COM")

$group.setinfo()

 

#create the new rule and add the rule
# https://msdn.microsoft.com/en-us/library/xh02bekw.aspx

$rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($sid,$rights,$ctrl,$guid)

$acl.AddAccessRule($rule)

Set-Acl -acl $acl -path ad:"cn=testgroup,cn=users,dc=contoso,dc=com"

Write-Host "Voila! We have the checkbox checked"

 


The next post will explain how to obtain the guid for the Self Member extended right.

 Part 2

Comments

  • Anonymous
    October 28, 2013
    Thank you for explaining the "Configuration -> Extended Rights -> Self-Membership" part! I've yet to try your script, hope it works for me!

  • Anonymous
    October 28, 2013
    The comment has been removed

  • Anonymous
    November 01, 2013
    Nice catch! Yes, the $adsi.setinfo() should be $group.setinfo(). I have taken out the $newacl variable, it is not needed. The AddAccessRule method does not return anything. I have updated the post with the changes. Thanks for letting me know! This may help you on your error. msdn.microsoft.com/.../ms838297.aspx

  • Anonymous
    April 13, 2015
    What are the minimum permission required on AD to run this script.

  • Anonymous
    May 18, 2015
    Irfan Ahmed, Senior Support Escalation Engineer, brings this amazing blog to us. Read on.
    Requirement

  • Anonymous
    May 18, 2015
    Irfan Ahmed, Senior Support Escalation Engineer, brings this amazing blog to us. Read on.
    Requirement

  • Anonymous
    August 20, 2015
    Thanks, helped me very much!