Issues while setting a "ManageBy" properties of a group object in Active Directory

Irfan Ahmed, Senior Support Escalation Engineer, brings this amazing blog to us. Read on.

Requirement

Recently I am working on a requirement where an IT administrator would like to set a “ManagedBy” properties of a group object in AD as shown below in screenshot using Power Shell Script. We want to do it by running the script under domain user credentials. We made sure that domain user has full permission on the group.

 

Screenshot of a group object properties in Active Directory. Our objective is to set the checkbox highlighted.

 

 

Sample Power Script can be found here.

blogs.technet.com/b/blur-lines_-powershell_-author_shirleym/archive/2013/10/07/manager-can-update-membership-list.aspx

 

Environment

You are running Windows Server with Active Directory Web Services (ADWS) or older Active Directory Domain Controllers with the Active Directory Management Gateway Service (ADMGS) installed. 

 

Problem Description

The above mentioned script works fine with Domain admin administrator but it fails with  “Access Denied” or Access Denied" or " This security ID may not be assigned as the owner of this object " . The error is thrown on Set-Acl call in the script. Please note that we had given full permission to the domain user on the group object and still we have this error. Another interesting point is that we are able to set “Manager can update membership list”  with domain user using AD user & computers console.

 

 

Solution

Currently the solution is to use VBscript to set the permission instead of PowerShell script.

Below is the sample VBScript to add and set “Manager can update membership list” permission on the group object in given AD

 

Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5
Const ADS_RIGHT_DS_WRITE_PROP = &H20
Const ADS_ACEFLAG_INHERIT_ACE = &H00002
Const ADS_ACEFLAG_DONT_INHERIT_ACE = &H0

Const ADS_FLAG_OBJECT_TYPE_PRESENT = &H01
Const ADS_OBJECT_WRITE_MEMBERS = "{BF9679C0-0DE6-11D0-A285-00AA003049E2}"
'===========================================================================
On Error Resume Next
intEnabled =1
strDomainNT4 = "<DomainName>

'DN of the Security Group object on whic we need to give permission
    Set objGroup = GetObject("LDAP://CN=Test_SG,OU=All_SG,DC=br549,DC=nttest,DC=microsoft,DC=com")

'DN of the user to whom we need to give permission.
    objGroup.Put "managedBy", "CN=Test,CN=Users,DC=br549,DC=nttest,DC=microsoft,DC=com"
' The below line will add   user
    objContainer.SetInfo

' The below code is to set Manager can update membership list
    strManagedBy = objGroup.managedBy 'objGroup.Get("managedBy") 'get managed by

        Set objSecurityDescriptor = objGroup.Get("ntSecurityDescriptor")
        Set objDACL = objSecurityDescriptor.DiscretionaryACL
        Set objUser = GetObject("LDAP://" & objGroup.Get("managedBy"))

           ' Enable "Manager can update member list" check box
                    Set objACE = CreateObject("AccessControlEntry")
                    objACE.Trustee = strDomainNT4 & "\" & objUser.Get("sAMAccountName")

                    wscript.echo objACE.Trustee & " Can now manage users." 
                    objACE.AccessMask = ADS_RIGHT_DS_WRITE_PROP
                    objACE.AceFlags = ADS_ACEFLAG_DONT_INHERIT_ACE
                    objACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
                    objACE.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT
                    objACE.objectType = ADS_OBJECT_WRITE_MEMBERS
                    objDACL.AddAce(objACE)

objSecurityDescriptor.DiscretionaryACL = objDACL
objGroup.Put "ntSecurityDescriptor", Array(objSecurityDescriptor)
objGroup.SetInfo

 

Written and Reviewed by: Irfan Ahmed, Senior Support Escalation Engineer, EMEA/INDIA Support Team