Posted by: Richard Siddaway
Active Directory, PowerShell
Many Active Directory objects have a ManagedBy attribute that shows the business owner of the group. Setting this doesn’t confer rights to manage the object. However in AD users and computers if you look at the Managed by tab for a group you will see a check box with the label “Manager can update membership list”
This doesn’t set an attribute – it sets permissions on the group members property. The Microsoft cmdlets don’t handle AD permissions – a major omission in my mind – but if you have a copy of the Quest cmdlets handy you can do this
$user = Get-QADUser -Identity dgreen
$group = Get-QADGroup -Identity Accounts -IncludeAllProperties
$group | Set-QADGroup -ManagedBy $user
$group | Add-QADPermission -Property Member -Account $user -ApplyTo ThisObjectOnly -Rights WriteProperty
Get the user and group objects. Set the managedBy property using Set-QADGroup. There is a switch to enable the manager update the membership list but you need Active Roles running to use it.
Instead use Add-QADPermission and define the property, the account to be granted the permissions, limit inheritance and state the permission being granted.
You can never have to many cmdlets even if you don’t use them that often.