Active Directory Groups

Glenn Maxwell 10,326 Reputation points
2022-10-01T20:37:42.297+00:00

Hi All

I have an AD group lets say TEST1 and i have a testuser1 and this user is managing the membership of this AD groups i.e add/remove members.
Below is the settings of this group.

Group:TEST1-Properties-ManagedBy
Name: TestUser1
Manager can update membership list is checked.

I want to provide access to two more users lets say testuser2 and testuser3 to manage this AD group.
I am following the below steps
TEST1-security-Add the user(testuser2 & testuser3)-Advanced-
Double click the user and edit->give Write Members access.

Is there any powershell syntax using which i can provide access to testuser2 and testuser2 instead of following the GUI steps( i only want to provide Write Members access i.e testuser2 and testuser3 can add/remove members)

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,515 questions
Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,406 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,316 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,008 questions
0 comments No comments
{count} votes

Accepted answer
  1. Dillon Silzer 54,831 Reputation points
    2022-10-01T22:23:15.677+00:00

    Hi @Glenn Maxwell

    I'd recommend creating a security group that you can then apply to manage the group object in AD. The script (PowerShell) can be found on the following article:

    How do I set permissions to manage Active Directory group membership? (by Kamal in 2019)

    Cited from https://hkeylocalmachine.com/?p=769

    # Define the $owner that will be able to manage the members of $group  
    $owner = "kamal";  
    $group = "citrix users";  
       
       
    # Try to get objects from AD              
    try {  
       
        $ownerobject = get-aduser $owner;  
        $groupobject = get-adgroup $group;  
       
    # If AD could not be read  
    } catch {  
       
        write-host "Could not get user/group information from Active Directory";  
        break;  
    }  
       
    # Try to set "write members" rights on the group   
    try {  
        $ldapstring = "LDAP://" + $groupobject.distinguishedname;  
        $ldapgroup = [ADSI]$ldapstring;  
       
        [System.DirectoryServices.DirectoryEntryConfiguration]$secoptions = $ldapgroup.get_Options();  
        $secoptions.SecurityMasks = [System.DirectoryServices.SecurityMasks]'Dacl';  
          
        # Get SID  
        $identityref = $ownerobject.sid.value;  
        $sid = new-object System.Security.Principal.SecurityIdentifier ($identityref);  
       
        # Define rights to be applied  
        $adrights = [System.DirectoryServices.ActiveDirectoryRights]::WriteProperty;  
        $type = [System.Security.AccessControl.AccessControlType]::Allow;  
       
        # Define permission attribute to modify (writeMembers)  
        $objectguid = [Guid]"bf9679c0-0de6-11d0-a285-00aa003049e2";  
       
        $adrule = new-object System.DirectoryServices.ActiveDirectoryAccessRule ($sid, $adrights, $type, $objectguid);  
       
        # Apply new ACL  
        $ldapgroup.get_ObjectSecurity().AddAccessRule($adrule);  
        $ldapgroup.CommitChanges();  
       
        write-host ("ACLs updated for group: " + $group);  
       
       
    # If permissions could not be set  
    } catch {  
       
        write-host ("Could not set new ACLs on group: " + $group);  
        break;  
    }  
    

    I haven't seen many scripts for this, but it is the only one I've come across.

    ----------------------------------

    If this is helpful please accept answer.

    0 comments No comments

3 additional answers

Sort by: Most helpful
  1. Gary Reynolds 9,396 Reputation points
    2022-10-01T22:52:39.65+00:00

    Hi

    The ManageBy attribute is only providing a lookup or reference to who manages the groups, however, when the "Manager can update membership list" option is checked an new ACE is added to the object DACL. DillonJS has provided a powershell script to do this, however, this is the dsacls command to do the same thing, which you can use a group to allocate the right.

    dsacls "<GrouptDN>" /G "<ManagementGroupName>:WP;member"  
    

    Gary.

    0 comments No comments

  2. Glenn Maxwell 10,326 Reputation points
    2022-10-02T03:35:44.073+00:00

    please correct me if i am wrong, i will want to make the below changes in DillonJS script. will it work for me.

    $owner = "test.user2","test.user3"; //test.user2 and test.user3 are sAMAccountNames
    $group = "TEST1";
    $objectguid = [Guid]"bf9679c0-0de6-11d0-a285-00aa003049e2"; //bf9679c0-0de6-11d0-a285-00aa003049e2 is the Objectguid of the AD group TEST1


  3. Glenn Maxwell 10,326 Reputation points
    2022-10-05T09:45:10.973+00:00

    Thanks all
    script is executed successfully but for the AD group-->right click properties-->security-->testuser1-Advanced-->Double click the user testuser1 and edit-> Write Members
    i dont see Write members box checked