Manager can update membership list Part 3

In the first post, we looked at the script to allow a manager of an AD group to update the membership list. The second post demonstrated how to retrieve the guid for the extended rights to apply this right. Now we will look at how to determine what rights are needed for updating a membership list in an AD group.

The script below is setting up the AD group for specific rights.

$ctrl=[System.Security.AccessControl.AccessControlType]::Allow

$rights=[System.DirectoryServices.ActiveDirectoryRights]::WriteProperty -bor[System.DirectoryServices.ActiveDirectoryRights]::ExtendedRight

$intype=[System.DirectoryServices.ActiveDirectorySecurityInheritance]::None

 

Of course, we can go through documentation to determine the rights, but who has time to go through documentation. Why don't we just give the user permissions to manage the list, then look at the rights given? Then take away those rights by clearing the permissions manually through the gui.

 

Toggle these permissions, then look at the difference by executing the following command.

 

Now we are able to determine what flags and rights to set for the AD group object. Next we need to add this AD rule to the current ACL. Create the new rule by using the .NET class, System.DirectoryServices.ActiveDirectoryAccessRule. Look at the constructor on MSDN to determine what parameters are required.

Create the new access rule, add the new rule, and then set the acl with the new rule.

 

$acl=Get-Acl ad:"cn=testgroup,cn=users,dc=contoso,dc=com"

$rule=New-ObjectSystem.DirectoryServices.ActiveDirectoryAccessRule($sid,$rights,$ctrl,$guid)

$acl.AddAccessRule($rule)

Set-Acl $acl -path ad:"cn=testgroup,cn=users,dc=contoso,dc=com"

 

Voila! We have checked the checkbox. The manager of the group now has permission to update the membership list.