How to Set Up ManagedBy AD Attribute

It is not a big deal to set up ManagedBy property for an Active Directory group. It becomes a big deal, if there are plenty of such groups.

ManagedBy is just one of the attributes of a group object, so it is pretty easy to change it. The Manager can update membership list checkbox, however, is not a property. It represents the security permission on the group object, called WriteMembers. The checkbox is in fact a logical statement

Checkbox = (ManagedBy_Object_Permissions = WriteMembers)

Even if the ManagedBy object has full access to the group and can do whatever it wants to, the checkbox appears only if only WriteMembers permission is set up to “Allow”

Of course, PowerShell can help us to set up everything. The script is short, but has two interesting parts:

  1. The ManagedBy attribute requires a distinguished name, but the ACL uses SAM account name. So, the script converts one name to another one.
  2. System.DirectoryServices.ActiveDirectoryAccessRule constructor ( can be overloaded

One of six variants is

ActiveDirectoryAccessRule(IdentityReference, ActiveDirectoryRights, AccessControlType, ActiveDirectorySecurityInheritance)

And another one is

ActiveDirectoryAccessRule(IdentityReference, ActiveDirectoryRights, AccessControlType, Guid)

If we use WriteMemberGUID as a type of string, the constractor assumes that this is the first variant and will raise an error.

 $NewAccessRule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($ManagedByAccountObject,$WritePropertiesObject,$AllowObject,’BF9679C0-0DE6-11D0-A285-00AA003049E2′)

 New-Object : Cannot convert argument “3”, with value: “BF9679C0-0DE6-11D0-A285-00AA003049E2”, for “ActiveDirectoryAccessRule” to type “System.DirectoryServices.ActiveDirectorySecurityInheritance”: “Cannot convert value “BF9679C0-0DE6-11D0-A285-00AA003049E2” to type “System.DirectoryServices.ActiveDirectorySecurityInheritance” due to invalid enumeration values. Specify one of the following enumeration values and try again. The possible enumeration values are “None, All,Descendents, SelfAndChildren, Children”.”

It suggests using values for inheritance and if we do so, it will set up entire Write permission as Allow, not just WriteMembers. The managedBy object will have permissions to change the group members, but as it has been noticed above, the checkbox will not be checked. To avoid this situation, just define GUID as the [GUID] type.

So, the script looks like this. The key statements are bold

#### Our variables
$ManagedByName = “CN=Karmadanov\, Andrew,OU=Users,OU=IT,DC=Domain,DC=com”
$Group = “CN=test-AK,OU=Groups,OU=IT,DC=Domain,DC=com”
#### AD Searcher. We will use it a several times
$ADRoot = [ADSI]””
$Searcher = New-Object System.Directoryservices.DirectorySearcher($ADRoot)
$Searcher.SearchRoot = $ADRoot
$Searcher.SearchScope = “subtree”

#### Check if ManagedByName exists and get NT Authority name from it
$Filter = “(&(objectCategory=*)(distinguishedName=$ManagedByName)”
$Searcher.Filter = $Filter
$ADObjects = $Searcher.FindAll()
if ($ADObjects.Count -eq 0)
      Write-Host ($ManagedByName + ” has not been found”)
$ManagedByObject = $ADObjects[0].GetDirectoryEntry()

#### Convert DN to Domain/username
if ($ManagedByName -match “(dc)+\s?(=).*”)
      {$DomainDN = $matches[0]}
      Write-Host “Error occurred while resolving the domain name”
$Filter = “(&(objectCategory=*)(distinguishedName=$DomainDN))”
$Searcher.Filter = $Filter
$DomainObjects = $Searcher.FindAll()
if ($DomainObjects.Count -eq 0)
      Write-Host ($DomainDN + ” has not been found”)
$DomainObject = $DomainObjects[0].GetDirectoryEntry()
$DomainName = ($DomainObject.Properties.Name[0]).ToUpper()

#### Parameters for new ACE
$ManagedByAccountObject = new-object System.Security.Principal.NTAccount($DomainName, $ManagedByObject.SAMAccountName)

$WritePropertiesObject = [System.DirectoryServices.ActiveDirectoryRights]::”WriteProperty”

$AllowObject = [System.Security.AccessControl.AccessControlType]::”Allow”

$WriteMembersGUID = [GUID]‘BF9679C0-0DE6-11D0-A285-00AA003049E2’

#### Group object
$Filter = “(&(objectCategory=*)(distinguishedName=$Group))”
$Searcher.Filter = $Filter
$ADObjects = $Searcher.FindAll()
if ($ADObjects.Count -eq 0)
Write-Host ($Group + ” has not been found”)

$ADEntry = $ADObjects[0].GetDirectoryEntry()
$LDAPLine = “LDAP://” + $Group
$GroupObject = [ADSI]$LDAPLine
$GroupObjectSecurity = $GroupObject.PSBase.get_ObjectSecurity()
$GroupAccessRules = $GroupObjectSecurity.GetAccessRules($True,$True,[System.Security.Principal.NTAccount])

$NewAccessRule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($ManagedByAccountObject,$WritePropertiesObject,$AllowObject,$WriteMembersGUID)


As easy as that.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: