Managed by for groups

Many Active Directory objects have a ManagedBy attribute that shows the business owner of the group. Setting this doesn’t confer rights to manage the object. However in AD users and computers if you look at the Managed by tab for a group you will see a check box with the label “Manager can update membership list”

This doesn’t set an attribute – it sets permissions on the group members property. The Microsoft cmdlets don’t handle AD permissions – a major omission in my mind – but if you have a copy of the Quest cmdlets handy you can do this

$user = Get-QADUser -Identity dgreen

$group = Get-QADGroup -Identity Accounts -IncludeAllProperties
$group |  Set-QADGroup -ManagedBy $user

$group | Add-QADPermission -Property Member -Account $user -ApplyTo ThisObjectOnly -Rights WriteProperty

Get the user and group objects.  Set the managedBy property using Set-QADGroup.  There is a switch to enable the manager update the membership list but you need Active Roles running to use it.

Instead use Add-QADPermission and define the property, the account to be granted the permissions, limit inheritance and state the permission being granted.

You can never have to many cmdlets even if you don’t use them that often.

This entry was posted in PowerShell and Active Directory. Bookmark the permalink.

2 Responses to Managed by for groups

  1. Elias Chaoul says:

    I want to thank you for this script, I have used it succesfuly to change the owner and the right to modify the member list for a bunch of security groups .


    Elias Chaoul

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s