Recently I needed to automate the creation of Active Directory groups, and set the ManagedBy attribute to a specific user or service account. Setting the ManagedBy attribute is straightforward, however being able to tick the checkbox “Manager can update membership list” is not so simple to do programatically. Sure, you could always manually tick this checkbox, but that’s not the point – the solution needed to be fully automated.
Here’s an extract of the PowerShell script I used to make it happen (some error handling and logging has been stripped out):
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 |
# Define the $owner that will be able to manage the members of $group $owner = "kamal"; $group = "citrix users"; # Try to get objects from AD try { $ownerobject = get-aduser $owner; $groupobject = get-adgroup $group; # If AD could not be read } catch { write-host "Could not get user/group information from Active Directory"; break; } # Try to set "write members" rights on the group try { $ldapstring = "LDAP://" + $groupobject.distinguishedname; $ldapgroup = [ADSI]$ldapstring; [System.DirectoryServices.DirectoryEntryConfiguration]$secoptions = $ldapgroup.get_Options(); $secoptions.SecurityMasks = [System.DirectoryServices.SecurityMasks]'Dacl'; # Get SID $identityref = $ownerobject.sid.value; $sid = new-object System.Security.Principal.SecurityIdentifier ($identityref); # Define rights to be applied $adrights = [System.DirectoryServices.ActiveDirectoryRights]::WriteProperty; $type = [System.Security.AccessControl.AccessControlType]::Allow; # Define permission attribute to modify (writeMembers) $objectguid = [Guid]"bf9679c0-0de6-11d0-a285-00aa003049e2"; $adrule = new-object System.DirectoryServices.ActiveDirectoryAccessRule ($sid, $adrights, $type, $objectguid); # Apply new ACL $ldapgroup.get_ObjectSecurity().AddAccessRule($adrule); $ldapgroup.CommitChanges(); write-host ("ACLs updated for group: " + $group); # If permissions could not be set } catch { write-host ("Could not set new ACLs on group: " + $group); break; } |