Syntax correction

Question

Syntax correction

Glenn Maxwell 12,456

Hi All

I want to provide few users write members access to the AD group(i.e these users can add/remove users to the AD group). in the below syntax if i add one user it is working, if i add more than one user it is not working please guide me.

 $owner = "user1","user2","user3",user4";
 $group = "group1";          
 try {
     $ownerobject = get-aduser $owner;
     $groupobject = get-adgroup $group;
 } catch { 
     write-host "Could not get user/group information from Active Directory";
     break;
 }
 try {
     $ldapstring = "LDAP://" + $groupobject.distinguishedname;
     $ldapgroup = [ADSI]$ldapstring;
     [System.DirectoryServices.DirectoryEntryConfiguration]$secoptions = $ldapgroup.get_Options();
     $secoptions.SecurityMasks = [System.DirectoryServices.SecurityMasks]'Dacl';
     $identityref = $ownerobject.sid.value;
     $sid = new-object System.Security.Principal.SecurityIdentifier ($identityref);
     $adrights = [System.DirectoryServices.ActiveDirectoryRights]::WriteProperty;
     $type = [System.Security.AccessControl.AccessControlType]::Allow;
     $objectguid = [Guid]"bf9679c0-0de6-11d0-a285-00aa003049e2";
     $adrule = new-object System.DirectoryServices.ActiveDirectoryAccessRule ($sid, $adrights, $type, $objectguid);
     $ldapgroup.get_ObjectSecurity().AddAccessRule($adrule);
     $ldapgroup.CommitChanges();
     write-host ("ACLs updated for group: " + $group);
 } catch {
     write-host ("Could not set new ACLs on group: " + $group);
     break;
 }

Accepted answer

1 additional answer

Your answer

Answer 1

You've turned $owner into a list (it was a scalar before, with only one user as its value). You need to process each owner individually. BTW, the last item in the list is missing a double quote in your code.

Try this:

$owners = "user1", "user2", "user3", "user4"
$group = "group1";
foreach ($owner in $owners){
    try {
        $ownerobject = Get-ADUser $owner -ErrorAction STOP
        $groupobject = Get-ADGroup $group -ErrorAction STOP
    }
    catch { 
        Write-Host "Could not get user/group information from Active Directory";
        break;
    }
    try {
        $ldapstring = "LDAP://" + $groupobject.distinguishedname;
        $ldapgroup = [ADSI]$ldapstring;
        [System.DirectoryServices.DirectoryEntryConfiguration]$secoptions = $ldapgroup.get_Options();
        $secoptions.SecurityMasks = [System.DirectoryServices.SecurityMasks]'Dacl';
        $identityref = $ownerobject.sid.value;
        $sid = New-Object System.Security.Principal.SecurityIdentifier ($identityref);
        $adrights = [System.DirectoryServices.ActiveDirectoryRights]::WriteProperty;
        $type = [System.Security.AccessControl.AccessControlType]::Allow;
        $objectguid = [Guid]"bf9679c0-0de6-11d0-a285-00aa003049e2";
        $adrule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($sid, $adrights, $type, $objectguid);
        $ldapgroup.get_ObjectSecurity().AddAccessRule($adrule);
        $ldapgroup.CommitChanges();
        Write-Host ("ACLs updated for group: " + $group);
    }
    catch {
        Write-Host ("Could not set new ACLs on group: " + $group);
        break;
    }
}

Answer 2

Deleted

This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

1 deleted comment

Comments have been turned off. Learn more

Share via

Syntax correction

1 additional answer

Your answer