Active Directory Groups

Question

Hi All

I have an AD group lets say TEST1 and i have a testuser1 and this user is managing the membership of this AD groups i.e add/remove members.
Below is the settings of this group.

Group:TEST1-Properties-ManagedBy
Name: TestUser1
Manager can update membership list is checked.

I want to provide access to two more users lets say testuser2 and testuser3 to manage this AD group.
I am following the below steps
TEST1-security-Add the user(testuser2 & testuser3)-Advanced-
Double click the user and edit->give Write Members access.

Is there any powershell syntax using which i can provide access to testuser2 and testuser2 instead of following the GUI steps( i only want to provide Write Members access i.e testuser2 and testuser3 can add/remove members)

Answer 1

Hi @Glenn Maxwell

I'd recommend creating a security group that you can then apply to manage the group object in AD. The script (PowerShell) can be found on the following article:

How do I set permissions to manage Active Directory group membership? (by Kamal in 2019)

Cited from https://hkeylocalmachine.com/?p=769

# Define the $owner that will be able to manage the members of $group  
$owner = "kamal";  
$group = "citrix users";  
   
   
# Try to get objects from AD              
try {  
   
    $ownerobject = get-aduser $owner;  
    $groupobject = get-adgroup $group;  
   
# If AD could not be read  
} catch {  
   
    write-host "Could not get user/group information from Active Directory";  
    break;  
}  
   
# Try to set "write members" rights on the group   
try {  
    $ldapstring = "LDAP://" + $groupobject.distinguishedname;  
    $ldapgroup = [ADSI]$ldapstring;  
   
    [System.DirectoryServices.DirectoryEntryConfiguration]$secoptions = $ldapgroup.get_Options();  
    $secoptions.SecurityMasks = [System.DirectoryServices.SecurityMasks]'Dacl';  
      
    # Get SID  
    $identityref = $ownerobject.sid.value;  
    $sid = new-object System.Security.Principal.SecurityIdentifier ($identityref);  
   
    # Define rights to be applied  
    $adrights = [System.DirectoryServices.ActiveDirectoryRights]::WriteProperty;  
    $type = [System.Security.AccessControl.AccessControlType]::Allow;  
   
    # Define permission attribute to modify (writeMembers)  
    $objectguid = [Guid]"bf9679c0-0de6-11d0-a285-00aa003049e2";  
   
    $adrule = new-object System.DirectoryServices.ActiveDirectoryAccessRule ($sid, $adrights, $type, $objectguid);  
   
    # Apply new ACL  
    $ldapgroup.get_ObjectSecurity().AddAccessRule($adrule);  
    $ldapgroup.CommitChanges();  
   
    write-host ("ACLs updated for group: " + $group);  
   
   
# If permissions could not be set  
} catch {  
   
    write-host ("Could not set new ACLs on group: " + $group);  
    break;  
}  

I haven't seen many scripts for this, but it is the only one I've come across.

----------------------------------

If this is helpful please accept answer.

Answer 2

Hi

The ManageBy attribute is only providing a lookup or reference to who manages the groups, however, when the "Manager can update membership list" option is checked an new ACE is added to the object DACL. DillonJS has provided a powershell script to do this, however, this is the dsacls command to do the same thing, which you can use a group to allocate the right.

dsacls "<GrouptDN>" /G "<ManagementGroupName>:WP;member"  

Gary.

Answer 3

please correct me if i am wrong, i will want to make the below changes in DillonJS script. will it work for me.

$owner = "test.user2","test.user3"; //test.user2 and test.user3 are sAMAccountNames
$group = "TEST1";
$objectguid = [Guid]"bf9679c0-0de6-11d0-a285-00aa003049e2"; //bf9679c0-0de6-11d0-a285-00aa003049e2 is the Objectguid of the AD group TEST1

Answer 4

Thanks all
script is executed successfully but for the AD group-->right click properties-->security-->testuser1-Advanced-->Double click the user testuser1 and edit-> Write Members
i dont see Write members box checked