setting "Managed By" for groups in AD
P$heller
my end. I can affectively set the “Managed By” tab in AD, but cannot find
the way to properly set the “Write Members –Allow” ACE for the group. I can
change “Write Properties – Allow” or “Generic Write – Allow”, but that gives
too much access. How can I set JUST “Write-Members – Allow”?
Brandon Shell [MVP]
Below is a function called New-ADACE and example of how to use it to set
the ACL member property
################################################################
function New-ADACE {
Param([System.Security.Principal.IdentityReference]$identity,
[System.DirectoryServices.ActiveDirectoryRights]$adRights,
[System.Security.AccessControl.AccessControlType]$type,
$Guid)
$help = @"
$identity
System.Security.Principal.IdentityReference
http://msdn.microsoft.com/en-us/library/system.security.principal.ntaccount.aspx
$adRights
System.DirectoryServices.ActiveDirectoryRights
http://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectoryrights.aspx
$type
System.Security.AccessControl.AccessControlType
http://msdn.microsoft.com/en-us/library/w4ds5h86(VS.80).aspx
$Guid
Object Type of the property
The schema GUID of the object to which the access rule applies.
"@
$ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($identity,$adRights,$type,$guid)
$ACE
}
# Some example code on how to use the New-ADACE function
# Create ACE to add to object
$myGuid = "bf9679c0-0de6-11d0-a285-00aa003049e2" #GUID for the Members property
$ID = Get-NTID "sAMAccountName of the user to give rights to"
$newAce = New-ADACE $ID "WriteProperty" "Allow" $myGuid
# Get Object
$DN = "<DN of the User object to be managed>"
$ADObject = [ADSI]"LDAP://$DN"
# Set Access Entry on Object
$ADObject.psbase.ObjectSecurity.SetAccessRule($newAce)
# DN for the Managed By Property
$MangedByDN = "<Manager DN Here>"
# Set the manageBy property
$ADObject.Put("managedBy",$MangedByDN)
# Commit changes to the backend
$ADObject.psbase.commitchanges()
###############################################################
Brandon Shell [MVP]
------------------------
Blog: http://www.bsonposh.com/
Author: http://www.TurboChargeAD.org
Profile: https://mvp.support.microsoft.com/profile/Brandon
P> Ok, I have been searching for a solution for weeks on this problem
P> and am at my end. I can affectively set the “Managed By” tab in AD,
P> but cannot find the way to properly set the “Write Members –Allow”
P> ACE for the group. I can change “Write Properties – Allow” or
P> “Generic Write – Allow”, but that gives too much access. How can I
P> set JUST “Write-Members – Allow”?
P>
Brandon Shell [MVP]
Brandon Shell [MVP]
------------------------
Blog: http://www.bsonposh.com/
Author: http://www.TurboChargeAD.org
Profile: https://mvp.support.microsoft.com/profile/Brandon
P> Ok, I have been searching for a solution for weeks on this problem
P> and am at my end. I can affectively set the “Managed By” tab in AD,
P> but cannot find the way to properly set the “Write Members –Allow”
P> ACE for the group. I can change “Write Properties – Allow” or
P> “Generic Write – Allow”, but that gives too much access. How can I
P> set JUST “Write-Members – Allow”?
P>
P$heller
for us. It allows too many permissions. I need to set "WriteMembers -
Allow". The pages listed below have already been looked at and do not show
the setting I need.
Brandon Shell [MVP]
the specified user. Not sure what else you expect.
WriteProperty is the permission
The GUID is the property that you are allowed to write to.
There is one slight bug... I have a function called Get-NTID that didnt include..
you can change the $id line to this (and add the values.)
$ID = New-Object System.Security.Principal.NTAccount($domain,$UserName)
Brandon Shell [MVP]
------------------------
Blog: http://www.bsonposh.com/
Author: http://www.TurboChargeAD.org
Profile: https://mvp.support.microsoft.com/profile/Brandon
P> I have been setting "WriteProperty - Allow", but that is not going to
P> work for us. It allows too many permissions. I need to set
P> "WriteMembers - Allow". The pages listed below have already been
P> looked at and do not show the setting I need.
P>
P> "Brandon Shell [MVP]" wrote:
P>
>> P> but cannot find the way to properly set the "Write Members -Allow"
>> P> ACE for the group. I can change "Write Properties - Allow" or
>> P> "Generic Write - Allow", but that gives too much access. How can
>> I
>> P> set JUST "Write-Members - Allow"?
>> P>
Eric W.
$NewManager = Get-mailbox $NewManagerName
#Grant Perms to Group so it can be modified
Get-DistributionGroup -Identity $groupName | Add-ADPermission -User
$NewManager -AccessRights WriteProperty
#Set ManagedBy field
$GroupDN | Set-Group -ManagedBy $NewManagerName
Brandon Shell [MVP]
2007 installed.
Brandon Shell [MVP]
------------------------
Blog: http://www.bsonposh.com/
Author: http://www.TurboChargeAD.org
Profile: https://mvp.support.microsoft.com/profile/Brandon
E> $NewManager = Get-mailbox $NewManagerName
E> #Grant Perms to Group so it can be modified
E> Get-DistributionGroup -Identity $groupName | Add-ADPermission -User
E> $NewManager -AccessRights WriteProperty
E> #Set ManagedBy field
E> $GroupDN | Set-Group -ManagedBy $NewManagerName
E> "P$heller" wrote:
E>
Eric W.
Get-mailbox could be replaced with get-qaduser.
get-distributiongroup could be replaced with get-qadgroup.
Brandon Shell [MVP]
isnt the same.
Brandon Shell [MVP]
------------------------
Blog: http://www.bsonposh.com/
Author: http://www.TurboChargeAD.org
Profile: https://mvp.support.microsoft.com/profile/Brandon
E> Add-ADPermission
E>