28 December, 2020

Powershell: 'Manager can update membership list'

 I ran into a post on a Powershell Facebook group, where someone was asking how to use Powershell to interact with an Active Directory groups 'Managed by', and (more specifically) the 'Manager can update membership list' values...

This 'Manager can update membership list' value is not available from the Get/Set-ADGroup command...
It is an ACL, and it is obscure. (that GIUD tho!!!)

I ran into all kinds of complicated scripts / functions that woked on this... But its not that complicated... If you know the GUID value, that is...
Anyway - Here it is:

= "Some Group" # Group display Name
$ManagerName = "BossMan" # AD Username

$mgr = (Get-ADUser $ManagerName)
$grp = [ADSI]"LDAP://$((Get-ADGRoup $GroupName).DistinguishedName)"

[System.DirectoryServices.DirectoryEntryConfiguration]$Options = $grp.get_Options()
$Options.SecurityMasks = [System.DirectoryServices.SecurityMasks]'Dacl'

$Rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($(New-Object System.Security.Principal.SecurityIdentifier (($mgr).SID.Value)),`
[System.DirectoryServices.ActiveDirectoryRights]::WriteProperty, [System.Security.AccessControl.AccessControlType]::Allow, [Guid]"bf9679c0-0de6-11d0-a285-00aa003049e2")

.InvokeSet("managedBy", @("$($mgr.DistinguishedName)")) # Sets the Managed By

.get_ObjectSecurity().AddAccessRule($Rule) # Yep, it is an ACL, this sets it.

No comments:

Post a Comment