Menu

Virtual Geek

Tales from real IT system administrators world and non-production environment

Powershell Active Directory: ADGroup Managedby - Checkbox Manager can update membership list

August 23, 2017 10:40AM

I found one of the query "How to click checkbox manager can update membership list on Active directory group using powershell" on the whatsapp group Powershell scripting. There is already official MicroSoft blog written for same purpose and there are two parts to it and they are worth reading. I went through the script and found complete logic is built using .net objects, and this might puzzle non-coders if they want to automate the task and made it user friendly for them to use. To execute this script use script Different ways to bypass Powershell execution policy :.ps1 cannot be loaded because running scripts is disabled.

Active Directory Powershell Set-AdGroup Managedby Get-aduser, Manager can update membership list managed by group properties

Setting Managedby user is very easy with command Set-ADGroup GroupName -ManagedBy (Get-ADuser UserName), But if i want to set Manager can update membership list, you have to go .net way. I didnt reinvent the wheel, and using existing code from official MicroSoft blog, So it will be more useful and anyone can use, I have created csv file and kept information group Name, user Name and Domain netbios name. This way I can change multiple Groups. If any of the group or user does not exist, it will show error in red.

.\Update-AdGroupManagedbyAdUser.ps1 -Path Group.csv

Active Directory Powershell ldap Manager update membership list, ADSI adapter, .net object powershell ad acl

This code is available on github: https://github.com/kunaludapi/AD-Powershell-Manager-can-update-membership-list

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
#requires -version 4
<#
.SYNOPSIS
    Adds user to manged by tab in AD Group properties and check the box Manager can update the membership list.
.DESCRIPTION
    The Update-AdGroupManagedby adds users to group. It asks for parameter as valid CSV file path (Containing Group, User and Domain details), If you want to update muliple group at once, Another option if you don't have CSV file Username, GroupName and Domain name parameter can be used separately. This cmdlet uses AD .net object to perform its task.
.PARAMETER GroupName
    Prompts you valid active directory Group name. You can use first character as an alias, This is mandetory parameter.
.PARAMETER UserName
    Prompts you valid active directory User name. You can use first character as an alias, This is mandetory parameter.
.PARAMETER Domain
    Provide domain netbios name where you User resides.
.PARAMETER CSV
    Provide valid csv file with Groupname, username and domain information.
.INPUTS
    [String]
.OUTPUTS
    Output is on console directly.
.NOTES
    Version:        1.0
    Author:         Kunal Udapi
    Creation Date:  23 August 2017
    Purpose/Change: Manager can update the membership list
    Useful URLs: http://vcloud-lab.com
.EXAMPLE
    PS C:\>Update-AdGroupManagedbyAdUser -Path C:\temp\Groups.csv

    This command update group from CSV file, CSV file contains information Groupname, UserName and Domain.
.Example
    PS C:\>Update-AdGroupManagedbyAdUser -GroupName Group1 -UserName User1 -Domain vcloud-lab
     
    Here I changing information on single Group using parameter
#>
[CmdletBinding(SupportsShouldProcess=$True,
    ConfirmImpact='Medium',
    HelpURI='http://vcloud-lab.com',
    DefaultParameterSetName='Manual')]
Param
(
    [parameter(ParameterSetName = 'Manual', Position=0, Mandatory=$True, ValueFromPipelineByPropertyName=$true)]
    [alias('U')]
    [String]$UserName,
    [Parameter(ParameterSetName='Manual', Position=1, Mandatory=$True)]
    [alias('G')]
    [String]$GroupName,
    [Parameter(ParameterSetName='Manual', Position=2, Mandatory=$True)]
    [String]$Domain,
    [parameter(ParameterSetName = 'CSV', Position=0, Mandatory=$True, ValueFromPipelineByPropertyName=$true)]
    [alias('CSV','File')]
    [String]$Path
)
begin {
    if (!(Get-Module Activedirectory)) {
        Import-Module ActiveDirectory
    }
    #$groupName = 'Group1'
    #$domain = 'vcloud-lab.com'
    #$userName = 'User1'
    switch ($PsCmdlet.ParameterSetName) {
        'Manual' {
            $Obj = New-Object psobject
            $Obj | Add-Member -Name groupName -MemberType NoteProperty -Value $GroupName
            $Obj | Add-Member -Name UserName -MemberType NoteProperty -Value $UserName
            $Obj | Add-Member -Name Domain -MemberType NoteProperty -Value $Domain
            Break
        }
        'CSV' {
            if (Test-Path -Path $Path) {
                $Obj =  Import-Csv -Path $Path
            }
            else {
                Write-Host "$path does not exist" -BackgroundColor DarkRed
            }
            break            
        }
    }
}
process {
    foreach ($O in $Obj) {
        "Working on group '{0}' adding user '{1}'" -f $O.Groupname, $O.Username
        try {
            $group = Get-ADGroup $O.groupName -ErrorAction Stop
        }
        catch {
            Write-Host "$($O.Groupname) does not exist in Active Directory" -BackgroundColor DarkRed
            Continue
        }
        try {
            $u = Get-ADUser $O.userName -ErrorAction Stop
            $UserDN = $u | Select-Object -ExpandProperty DistinguishedName
            #$UserDN
        }
        catch {
            Write-Host "$($O.UserName) does not exist in Active Directory" -BackgroundColor DarkRed
            Continue
        }
        if ($PsCmdlet.ParameterSetName -eq 'CSV') {
            $Domain = $O.Domain
        }
        $DC = ($group.DistinguishedName -split '=')[-1]
        $userAccount = "{0}\{1}" -f $O.domain.ToUpper(), $O.userName
        $rightGuid = Get-ItemProperty "AD:\CN=Self-Membership,CN=Extended-Rights,CN=Configuration,DC=$domain,DC=$DC" -Name rightsGuid | Select-Object -ExpandProperty rightsGuid
        $Guid = [GUID]$rightGuid
        $user = New-Object System.Security.Principal.NTAccount($userAccount)
        $sid = $user.translate([System.Security.Principal.SecurityIdentifier])
        #$group = Get-ADGroup $groupName
        $GroupDN = $group.DistinguishedName
        $acl = Get-Acl AD:\$GroupDN
        $ctrl =[System.Security.AccessControl.AccessControlType]::Allow
        $rights = [System.DirectoryServices.ActiveDirectoryRights]::WriteProperty -bor[System.DirectoryServices.ActiveDirectoryRights]::ExtendedRight
        $intype = [System.DirectoryServices.ActiveDirectorySecurityInheritance]::None
        #$UserDN = Get-ADUser $userName | Select-Object -ExpandProperty DistinguishedName
        $group = [adsi]"LDAP://$GroupDN"
        $group.put("ManagedBy",$UserDN)
        $group.setinfo()
        $rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($sid,$rights,$ctrl,$guid)
        $acl.AddAccessRule($rule)
        Set-Acl -acl $acl -path AD:\$GroupDN
        $acl = Get-Acl AD:\$GroupDN
        $access = $acl.Access | Where-Object {$_.IdentityReference -eq $userAccount}
        if ($access -eq $null) {
            Write-Host "Cannot set Manager can not update membership list on Group $($O.Groupname)" -BackgroundColor DarkRed
        }
    }
}
end {}

Same command can be used for single Group by using below command.

.\Update-AdGroupManagedbyAdUser.ps1 -Groupname GroupName -UserName UserName -Domain vcloud-lab

Active directory users and comptuers powershell, Group properties managed by Name change update, manager can update membership list

Useful Blogs
POWERSHELL: INSTALLING AND CONFIGURING ACTIVE DIRECTORY
Powershell one liner: Create multiple user accounts
Different ways to bypass Powershell execution policy :.ps1 cannot be loaded because running scripts is disabled

Go Back

Comment