PowerShell for Windows Admins

Nov 4 2013   3:05PM GMT

Managed by for groups

Richard Siddaway Richard Siddaway Profile: Richard Siddaway

Many Active Directory objects have a ManagedBy attribute that shows the business owner of the group. Setting this doesn’t confer rights to manage the object. However in AD users and computers if you look at the Managed by tab for a group you will see a check box with the label “Manager can update membership list”

This doesn’t set an attribute – it sets permissions on the group members property. The Microsoft cmdlets don’t handle AD permissions – a major omission in my mind – but if you have a copy of the Quest cmdlets handy you can do this

$user = Get-QADUser -Identity dgreen

$group = Get-QADGroup -Identity Accounts -IncludeAllProperties
$group | Set-QADGroup -ManagedBy $user

$group | Add-QADPermission -Property Member -Account $user -ApplyTo ThisObjectOnly -Rights WriteProperty

Get the user and group objects. Set the managedBy property using Set-QADGroup. There is a switch to enable the manager update the membership list but you need Active Roles running to use it.

Instead use Add-QADPermission and define the property, the account to be granted the permissions, limit inheritance and state the permission being granted.

You can never have to many cmdlets even if you don’t use them that often.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: