Checkbox: Manager can update membership list

This topic contains 2 replies, has 2 voices, and was last updated by  Jason McMahan 2 years, 1 month ago.

  • Author
    Posts
  • #11182

    Jason McMahan
    Participant

    Good morning,
    I have been searching for a way to set the checkbox that allows a manager to update the membership list on a security group.
    My script creates a folder, sets the acl, and sets the manager field correctly however once it is all said and done i have to open the new group in aduc then go to the Managed by tab and set the checkbox then apply the new setting.
    Is there a way to programatticaly set this from powershell?

    Thank you

  • #11184

    Richard Siddaway
    Moderator

    The checkbox doesn't set an attribute it sets the WriteProperty permission on the Member property of the group. The Microsoft AD cmdlets can't work with permissions but there is an Exchange cmdlet that might help.

    In a pure AD environment I would use the Quest cmdlets to do this:

    $user = Get-QADUser -Identity dgreen

    $group = Get-QADGroup -Identity Accounts -IncludeAllProperties
    $group | Set-QADGroup -ManagedBy $user

    $group | Add-QADPermission -Property Member -Account $user -ApplyTo ThisObjectOnly -Rights WriteProperty

    If you are using Active Roles it gets even easier.

    It should be possible to script this using .NET accces to System.DirectoryServices and the System.Security classes but it won't be pretty

    Hope this helps

  • #27376

    Jason McMahan
    Participant

    I know this is an old thread, however i believe this solution is the best.
    If anyone would like please review the script laid out below.

    Thank you

    #==============================================================================================================================================
    # Created on:   7/9/2015 7:01 AM
    # Created by: Jason 
    # Organization:      
    # Filename:          set-ManagedBy.ps1
    # Version:           20150709.01 Original Code creation
    # Reference:    http://blogs.technet.com/b/blur-lines_-powershell_-author_shirleym/archive/2013/10/07/manager-can-update-membership-list.aspx
    #==============================================================================================================================================
     
    
     
    #Create initial collection of variable names.
    $startupVariables=""
    if ($startupvariables) {
            try {Remove-Variable -Name startupvariables  -Scope Global -ErrorAction SilentlyContinue
        }
        catch {
        }
    }
    New-Variable -force -name startupVariables -value ( Get-Variable | ForEach-Object { $_.Name } )
     
     
     
    Function Clean-Memory {
    Get-Variable |
    Where-Object { $startupVariables -notcontains $_.Name } |
    ForEach-Object {
      try { Remove-Variable -Name "$($_.Name)" -Force -Scope "global" -ErrorAction SilentlyContinue -WarningAction SilentlyContinue}
      catch { }
    }
    }
     
     
     
     
    function set-ManagedBy {
     
        [CmdletBinding(DefaultParameterSetName='Managed By Group',
                      SupportsShouldProcess=$true,
                      PositionalBinding=$false,
                      ConfirmImpact='Medium')]
        Param
        (
            # SecurityGroup parameter identifies ad group for which managedBY/Security permissions will be modified.
            [Parameter(Mandatory=$true,
                       ParameterSetName = 'Managed By Group')]
                  [Parameter(ParameterSetName = 'Managed By User')]
                  [Parameter(ParameterSetName = 'Clear')]
            [ValidateScript({Get-ADGroup -Identity $_ })]
            [String]
            $SecurityGroup,
           
            # ManagedByGroup parameter used for inserting adgroup in managedBy attribute of a security group.
            [Parameter(Mandatory=$false,
                       ParameterSetName='Managed By Group')]
            [ValidateScript({Get-ADGroup -Identity $_ })]
            [String]
            $ManagedByGroup,
     
            # ManagedByUser parameter used for inserting aduser in managedBy attribute of a security group.
            [Parameter(Mandatory=$false,
                       ParameterSetName='Managed By User')]
            [ValidateScript({Get-ADUser -Identity $_ })]
            [String]
            $ManagedByUser,
     
                  [parameter(Mandatory=$False,
                       ParameterSetName = 'Managed By Group',
                       HelpMessage="If managerUpdateMembership switch is added, manager has permission to update membership.")]
            [Parameter(ParameterSetName = 'Managed By User')]
               [switch]$managerUpdateMembership,
     
           [parameter(Mandatory=$False,
                       ParameterSetName = 'Managed By Group',
                       HelpMessage="If overwrite switch is added, entry in managedBy is removed from that property as well as access control list.")]
            [Parameter(ParameterSetName = 'Managed By User')]
               [switch]$overwrite,
     
                  [parameter(Mandatory=$False,
                       ParameterSetName = 'Clear',
                       HelpMessage="If clear switch is added, managedBY property is set to null.")]
               [switch]$clear
     
        )
     
        Begin {
     
     
            $SecurityGroupObject = (Get-ADGroup -Identity $SecurityGroup -Properties DistinguishedName, ManagedBY, Name, SID)
            $aclIdentity = (Get-ADObject $SecurityGroupObject.ManagedBy -Properties canonicalName, SamAccountName)
            $aclIdentityReference = (Join-Path -Path ($aclIdentity.CanonicalName.split(".")[0]+'\') -ChildPath $aclIdentity.SamAccountName)
           
            #ACL of group object.
            $acl = (Get-acl -Path "AD:$((Get-ADGroup -Identity $SecurityGroupObject).DistinguishedName)")
       
            #GUID of Self Membership attribute. AdsiEdit > Configuration > ExtendedRIghts > SelfMembership
            $guid =[guid]'bf9679c0-0de6-11d0-a285-00aa003049e2'
     
            #Rights which will be assigned to new rule
            $rights =[System.DirectoryServices.ActiveDirectoryRights]::WriteProperty -bor[System.DirectoryServices.ActiveDirectoryRights]::ExtendedRight
            $ctrl =[System.Security.AccessControl.AccessControlType]::Allow
     
            If($ManagedByGroup -ne "") {
                $managedBy = (Get-ADGroup -Identity $ManagedByGroup -Properties CanonicalName, SamAccountName, SID -ErrorAction SilentlyContinue)       
            }
            ElseIf ($ManagedByUser -ne "") {
                $managedBy = (Get-ADUser -Identity $ManagedByUser -Properties CanonicalName, SamAccountName, SID -ErrorAction SilentlyContinue)
            }
            Else {
                $managedBy = $null
            }
            If($managedBy -ne $null) {
                $managedBySID = New-Object System.Security.Principal.SecurityIdentifier ($managedBy).SID
            }
            Else {
            }
                               
        }
        Process {
            If ($SecurityGroupObject.ManagedBy -eq $null) {
                If($clear -eq $true) {
                    Throw "ManagedBy is null and clear switch was utilized. No change required!"
                }
                Else {
                    If($clear -eq $false) {
                        If($managerUpdateMembership -eq $false) {
                            $SecurityGroupObject | Set-ADGroup -ManagedBy $managedBy.samAccountName
                        }
                        Else {
                            If($managerUpdateMembership -eq $true) {
                            $SecurityGroupObject | Set-ADGroup -ManagedBy $managedBy.samAccountName
                            $rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($managedBySID,$rights,$ctrl,$guid)
                            $acl.AddAccessRule($rule)
                            Set-Acl -AclObject $acl -Path "AD:$((Get-ADGroup -Identity $SecurityGroupObject).DistinguishedName)"
                            }
     
                        }
                    }
                }
            }
            Else {
                If($SecurityGroupObject.ManagedBy -ne $null) {
                    If ($clear -eq $true) {
                        Foreach($accessControlEntry in $acl.Access.IdentityReference.value){
                            If($acl.Access.identityreference -eq $aclIdentityReference){
                                $ace = $acl.Access | where {$_.IdentityReference -eq $aclIdentityReference}
                                $rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($ace.IdentityReference,$ace.ActiveDirectoryRights,$ace.AccessControlType,$ace.ObjectType)
                                $acl.RemoveAccessRule($rule) | Out-Null
                                $SecurityGroupObject | Set-ADGroup -ManagedBy $null
                                Set-Acl -AclObject $acl -Path "AD:$((Get-ADGroup -Identity $SecurityGroupObject).DistinguishedName)"
                                $match = $true
                            }
                            Else {
                                if (-not ($match)) {
                                $SecurityGroupObject | Set-ADGroup -ManagedBy $null
                                }
                            }
                        }
                    }
                    Else {
                        If($clear -eq $false) {
                            If($overwrite -eq $true) {
                                If($managerUpdateMembership -eq $true) {
                                    Foreach($accessControlEntry in $acl.Access.IdentityReference.value){
                                        If($acl.Access.identityreference -eq $aclIdentityReference){
                                            $ace = $acl.Access | where {$_.IdentityReference -eq $aclIdentityReference}
                                            $rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($ace.IdentityReference,$ace.ActiveDirectoryRights,$ace.AccessControlType,$ace.ObjectType)
                                            $acl.RemoveAccessRule($rule) | Out-Null
                                            $match = $true
                                            $SecurityGroupObject | Set-ADGroup -ManagedBy $managedBy.samAccountName
                                            $rule1 = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($managedBySID,$rights,$ctrl,$guid)
                                            $acl.AddAccessRule($rule1) 
                                        }
                                        Else {
                                            if (-not ($match)) {
                                            $SecurityGroupObject | Set-ADGroup -ManagedBy $managedBy.samAccountName
                                            $rule1 = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($managedBySID,$rights,$ctrl,$guid)
                                            $acl.AddAccessRule($rule1)   
                                            }
                                        } 
                                    }
                                    Set-Acl -AclObject $acl -Path "AD:$((Get-ADGroup -Identity $SecurityGroupObject).DistinguishedName)"
                                }
                                Else {
                                    If($managerUpdateMembership -eq $false) {
                                        Foreach($accessControlEntry in $acl.Access.IdentityReference.value){
                                            If($acl.Access.identityreference -eq $aclIdentityReference){
                                                $ace = $acl.Access | where {$_.IdentityReference -eq $aclIdentityReference}
                                                $rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($ace.IdentityReference,$ace.ActiveDirectoryRights,$ace.AccessControlType,$ace.ObjectType)
                                                $acl.RemoveAccessRule($rule) | Out-Null
                                                Set-Acl -AclObject $acl -Path "AD:$((Get-ADGroup -Identity $SecurityGroupObject).DistinguishedName)"
                                                $match = $true
                                                $SecurityGroupObject | Set-ADGroup -ManagedBy $managedBy.samAccountName
                                            }
                                            Else {
                                                if (-not ($match)) {
                                                $SecurityGroupObject | Set-ADGroup -ManagedBy $managedBy.samAccountName
                                                }
                                            }
                                        }
                                    }
                                }                            
                            }
                            Else {
                                If ($overwrite -eq $false) {
                                    Throw "ManagedBy is populated, overwrite or clear switch was not utilized. Review managedBy property of security group!"
                                }
                            }
                        }
                    }
                }
               
            }
         }
        End {
         }
    }
    Clean-Memory
    

You must be logged in to reply to this topic.