I found one of the query "How to click checkbox manager can update membership list on Active directory group using powershell" on the whatsapp group Powershell scripting. There is already official MicroSoft blog written for same purpose and there are two parts to it and they are worth reading. I went through the script and found complete logic is built using .net objects, and this might puzzle non-coders if they want to automate the task and made it user friendly for them to use. To execute this script use script Different ways to bypass Powershell execution policy :.ps1 cannot be loaded because running scripts is disabled.
Setting Managedby user is very easy with command Set-ADGroup GroupName -ManagedBy (Get-ADuser UserName), But if i want to set Manager can update membership list, you have to go .net way. I didnt reinvent the wheel, and using existing code from official MicroSoft blog, So it will be more useful and anyone can use, I have created csv file and kept information group Name, user Name and Domain netbios name. This way I can change multiple Groups. If any of the group or user does not exist, it will show error in red.
.\Update-AdGroupManagedbyAdUser.ps1 -Path Group.csv
This code is available on github: https://github.com/kunaludapi/AD-Powershell-Manager-can-update-membership-list
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 |
#requires -version 4 <# .SYNOPSIS Adds user to manged by tab in AD Group properties and check the box Manager can update the membership list. .DESCRIPTION The Update-AdGroupManagedby adds users to group. It asks for parameter as valid CSV file path (Containing Group, User and Domain details), If you want to update muliple group at once, Another option if you don't have CSV file Username, GroupName and Domain name parameter can be used separately. This cmdlet uses AD .net object to perform its task. .PARAMETER GroupName Prompts you valid active directory Group name. You can use first character as an alias, This is mandetory parameter. .PARAMETER UserName Prompts you valid active directory User name. You can use first character as an alias, This is mandetory parameter. .PARAMETER Domain Provide domain netbios name where you User resides. .PARAMETER CSV Provide valid csv file with Groupname, username and domain information. .INPUTS [String] .OUTPUTS Output is on console directly. .NOTES Version: 1.0 Author: Kunal Udapi Creation Date: 23 August 2017 Purpose/Change: Manager can update the membership list Useful URLs: http://vcloud-lab.com .EXAMPLE PS C:\>Update-AdGroupManagedbyAdUser -Path C:\temp\Groups.csv This command update group from CSV file, CSV file contains information Groupname, UserName and Domain. .Example PS C:\>Update-AdGroupManagedbyAdUser -GroupName Group1 -UserName User1 -Domain vcloud-lab Here I changing information on single Group using parameter #> [CmdletBinding(SupportsShouldProcess=$True, ConfirmImpact='Medium', HelpURI='http://vcloud-lab.com', DefaultParameterSetName='Manual')] Param ( [parameter(ParameterSetName = 'Manual', Position=0, Mandatory=$True, ValueFromPipelineByPropertyName=$true)] [alias('U')] [String]$UserName, [Parameter(ParameterSetName='Manual', Position=1, Mandatory=$True)] [alias('G')] [String]$GroupName, [Parameter(ParameterSetName='Manual', Position=2, Mandatory=$True)] [String]$Domain, [parameter(ParameterSetName = 'CSV', Position=0, Mandatory=$True, ValueFromPipelineByPropertyName=$true)] [alias('CSV','File')] [String]$Path ) begin { if (!(Get-Module Activedirectory)) { Import-Module ActiveDirectory } #$groupName = 'Group1' #$domain = 'vcloud-lab.com' #$userName = 'User1' switch ($PsCmdlet.ParameterSetName) { 'Manual' { $Obj = New-Object psobject $Obj | Add-Member -Name groupName -MemberType NoteProperty -Value $GroupName $Obj | Add-Member -Name UserName -MemberType NoteProperty -Value $UserName $Obj | Add-Member -Name Domain -MemberType NoteProperty -Value $Domain Break } 'CSV' { if (Test-Path -Path $Path) { $Obj = Import-Csv -Path $Path } else { Write-Host "$path does not exist" -BackgroundColor DarkRed } break } } } process { foreach ($O in $Obj) { "Working on group '{0}' adding user '{1}'" -f $O.Groupname, $O.Username try { $group = Get-ADGroup $O.groupName -ErrorAction Stop } catch { Write-Host "$($O.Groupname) does not exist in Active Directory" -BackgroundColor DarkRed Continue } try { $u = Get-ADUser $O.userName -ErrorAction Stop $UserDN = $u | Select-Object -ExpandProperty DistinguishedName #$UserDN } catch { Write-Host "$($O.UserName) does not exist in Active Directory" -BackgroundColor DarkRed Continue } if ($PsCmdlet.ParameterSetName -eq 'CSV') { $Domain = $O.Domain } $DC = ($group.DistinguishedName -split '=')[-1] $userAccount = "{0}\{1}" -f $O.domain.ToUpper(), $O.userName $rightGuid = Get-ItemProperty "AD:\CN=Self-Membership,CN=Extended-Rights,CN=Configuration,DC=$domain,DC=$DC" -Name rightsGuid | Select-Object -ExpandProperty rightsGuid $Guid = [GUID]$rightGuid $user = New-Object System.Security.Principal.NTAccount($userAccount) $sid = $user.translate([System.Security.Principal.SecurityIdentifier]) #$group = Get-ADGroup $groupName $GroupDN = $group.DistinguishedName $acl = Get-Acl AD:\$GroupDN $ctrl =[System.Security.AccessControl.AccessControlType]::Allow $rights = [System.DirectoryServices.ActiveDirectoryRights]::WriteProperty -bor[System.DirectoryServices.ActiveDirectoryRights]::ExtendedRight $intype = [System.DirectoryServices.ActiveDirectorySecurityInheritance]::None #$UserDN = Get-ADUser $userName | Select-Object -ExpandProperty DistinguishedName $group = [adsi]"LDAP://$GroupDN" $group.put("ManagedBy",$UserDN) $group.setinfo() $rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($sid,$rights,$ctrl,$guid) $acl.AddAccessRule($rule) Set-Acl -acl $acl -path AD:\$GroupDN $acl = Get-Acl AD:\$GroupDN $access = $acl.Access | Where-Object {$_.IdentityReference -eq $userAccount} if ($access -eq $null) { Write-Host "Cannot set Manager can not update membership list on Group $($O.Groupname)" -BackgroundColor DarkRed } } } end {} |
Same command can be used for single Group by using below command.
.\Update-AdGroupManagedbyAdUser.ps1 -Groupname GroupName -UserName UserName -Domain vcloud-lab
Useful Blogs
POWERSHELL: INSTALLING AND CONFIGURING ACTIVE DIRECTORY
Powershell one liner: Create multiple user accounts
Different ways to bypass Powershell execution policy :.ps1 cannot be loaded because running scripts is disabled