Manager can update membership list Part 1
Sometimes trying to automate something simple as selecting a checkbox is no simple task. This is the first part of a series of posts on how to select the 'Manager can update membership list' checkbox for an AD group in PowerShell. The first part will give you the PowerShell script that will automate this process. The continuation of this post will go over the script in more detail and show you the steps that led up to this solution.
Below is the GUI used to select the user to manage the group and whether that user is allowed to update the membership list. Setting the manger is the easy part, but selecting the checkbox can be a little more complicated.
The script below will set the user as the manager and allow them to update the membership list. There will be more to come in the next posts to look at the script in fine detail.
<#
look at adsi-edit for this guid
Configuration -> Extended Rights -> Self-Membership
Open Self-Membership and the guid will be under rightsGuid
#>
$guid =[guid]'bf9679c0-0de6-11d0-a285-00aa003049e2'
$user = New-Object System.Security.Principal.NTAccount("contoso\jsmith")
$sid =$user.translate([System.Security.Principal.SecurityIdentifier])
$acl = Get-Acl ad:"cn=testgroup,cn=users,dc=contoso,dc=com"
$ctrl =[System.Security.AccessControl.AccessControlType]::Allow
$rights =[System.DirectoryServices.ActiveDirectoryRights]::WriteProperty -bor[System.DirectoryServices.ActiveDirectoryRights]::ExtendedRight
$intype =[System.DirectoryServices.ActiveDirectorySecurityInheritance]::None
#set the ManagedBy property
$group =[adsi]'LDAP://cn=testgroup,cn=users,dc=contoso,dc=com'
$group.put("ManagedBy","CN=jillsmith,OU=TestOU,DC=Contoso,DC=COM")
$group.setinfo()
#create the new rule and add the rule
# https://msdn.microsoft.com/en-us/library/xh02bekw.aspx
$rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($sid,$rights,$ctrl,$guid)
$acl.AddAccessRule($rule)
Set-Acl -acl $acl -path ad:"cn=testgroup,cn=users,dc=contoso,dc=com"
Write-Host "Voila! We have the checkbox checked"
The next post will explain how to obtain the guid for the Self Member extended right.