Active Directory - Group Properties - Managed By Tab - "Check The Box" - Manager can update membership list

renoir · November 7, 2022, 9:48pm

My friends,
In Active Directory, I have a script that changes the manager of a many Groups in the .Cvs file, this part works ok.

I am trying to “Check the Box” to indicate:
“Manager can update membership list”
for all the groups in the .csv file

Here’s the script:

Import-Csv -Path "C:\Folderx\TheTest.csv" |            
foreach {  
      Set-ADgroup -Identity $_.Group -Managedby Joe.Jones 
$guid = [guid]'bf9679c0-0de6-11d0-a285-00aa003049e2'
$sid = Get-ADUser -Identity Joe.Jones | select SID
$ctrlType = [System.Security.AccessControl.AccessControlType]::Allow
$rights = [System.DirectoryServices.ActiveDirectoryRights]::WriteProperty -bor [System.DirectoryServices.ActiveDirectoryRights]::ExtendedRight
$rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($sid, $rights, $ctrlType, $guid)
$group = Get-ADGroup „$_.Group“
$aclPath = "AD:\" + $group.distinguishedName
$acl = Get-Acl $aclPath
$acl.AddAccessRule($rule)
Set-Acl -acl $acl -path $aclPath
 }

Here’s the .CVS File - “C:\Folderx\Filex.csv”

Group
GROUPLGATestTesting
GROUPLGATestTesting2

Here’s the first two errors

 New-Object : Cannot find an overload for "ActiveDirectoryAccessRule" and the argument count: "4".
At C:\Powershell\ManagedBy  Changes ManagedBy Manager Can Update Membership LIst.ps1:8 char:9
+ $rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ...
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [New-Object], MethodException
    + FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.PowerShell.Commands.NewObj 
   ectCommand
 
Get-ADGroup : Cannot find an object with identity: '@{Group=GROUPLGATestTesting}.Group' under: 
'DC=usda,DC=net'.
At C:\Powershell\ManagedBy  Changes Manager Can Update Membership LIst.ps1:9 char:10
+ $group = Get-ADGroup „$_.Group“
+          ~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (@{Group=GROUPLGATestTesting}.Group:ADGroup) [Get 
   -ADGroup], ADIdentityNotFoundException
    + FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentity 
   NotFoundException,Microsoft.ActiveDirectory.Management.Commands.GetADGroup

The four arguments have good values in them:

PS C:\WINDOWS\system32>
$guid

Guid

bf9679c0-0de6-11d0-a285-00aa003049e2

$sid

SID

S-1-5-21-34734673467-88884444555-3041422421-9999

$ctrlType
Allow

$rights
WriteProperty, ExtendedRight

But the $rule variable did not get any value in it.
So the trouble begins with this line:

$rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($sid, $rights, $ctrlType, $guid)

Thank you in advance for your help.

krzydoug · November 7, 2022, 10:27pm

These two lines give you complete objects. Later you are passing the whole object instead of the values you think you are.

You can fix it at assignment by changing to this

$guid = ([guid]'bf9679c0-0de6-11d0-a285-00aa003049e2').Guid
$sid = Get-ADUser -Identity Joe.Jones | select -ExpandProperty SID

Or you can just reference the actual properties later by changing this line

$rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($sid.Sid, $rights, $ctrlType, $guid.Guid)

renoir · November 8, 2022, 6:53pm

Krzydoug,
Thank you very much for your reply.
I tried your first suggestion, Here is the script:

 Import-Csv -Path "C:\FolderX\FileX.csv" |            
foreach {  
      Set-ADgroup -Identity $_.Group -Managedby Joe.Jones 
$guid = ([guid]'bf9679c0-0de6-11d0-a285-00aa003049e2').Guid
$sid = Get-ADUser -Identity Joe.Jones | select -ExpandProperty SID
$ctrlType = [System.Security.AccessControl.AccessControlType]::Allow
$rights = [System.DirectoryServices.ActiveDirectoryRights]::WriteProperty -bor [System.DirectoryServices.ActiveDirectoryRights]::ExtendedRight
$rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($sid, $rights, $ctrlType, $guid)
$group = Get-ADGroup „$_.Group“
$aclPath = "AD:\" + $group.distinguishedName
$acl = Get-Acl $aclPath
$acl.AddAccessRule($rule)
Set-Acl -acl $acl -path $aclPath
 }

I used the Same .CSV input:
“C:\Folderx\Filex.csv”
Group
GROUPLGATestTesting
GROUPLGATestTesting2

Here’s the Errors:

 New-Object : Multiple ambiguous overloads found for "ActiveDirectoryAccessRule" and the 
argument count: "4".
At C:\Powershell\
Manager Can Update Membership LIst.ps1:8 
char:9
+ $rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [New-Object], MethodException
    + FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.PowerShell.Commands.N 
   ewObjectCommand
 
Get-ADGroup : Cannot find an object with identity: '@{Group=AIOGTXEDNLGATestTesting}.Group' 
under: 'DC=usda,DC=net'.
At C:\Powershell\
Manager Can Update Membership LIst.ps1:9 
char:10
+ $group = Get-ADGroup „$_.Group“
+          ~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (@{Group=AIOGTXEDNLGATestTesting}.Group:ADGroup) 
    [Get-ADGroup], ADIdentityNotFoundException
    + FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIde 
   ntityNotFoundException,Microsoft.ActiveDirectory.Management.Commands.GetADGroup
 
You cannot call a method on a null-valued expression.
At C:\Powershell\
Manager Can Update Membership LIst
.ps1:12 char:1
+ $acl.AddAccessRule($rule)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull
 
Set-Acl : Cannot bind argument to parameter 'AclObject' because it is null.
At C:\Powershell\
Manager Can Update Membership 
Answer.ps1:13 char:14
+ Set-Acl -acl $acl -path $aclPath
+              ~~~~
    + CategoryInfo          : InvalidData: (:) [Set-Acl], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerSh 
   ell.Commands.SetAclCommand

Here’s the values of the four arguments after it ran:
$guid
bf9679c0-0de6-11d0-a285-00aa003049e2

$sid (Sanitized)
BinaryLength AccountDomainSid Value

      28 S-1-5-21-1243529123-1234567890-1234567890 S-1-5-21-1243529123-1234567890-1234567890-12345

$ctrlType
Allow

$rights
WriteProperty, ExtendedRight

$rule No value in $rule

What now, KrazyDoug?

krzydoug · November 8, 2022, 9:55pm

It turns out it wanted the objects. I got this to work.

Import-Csv -Path "C:\FolderX\FileX.csv" |
ForEach-Object {  
    Set-ADgroup -Identity $_.Group -Managedby Joe.Jones 
    $guid = [guid]'bf9679c0-0de6-11d0-a285-00aa003049e2'
    $sid = Get-ADUser -Identity Joe.Jones | select -ExpandProperty SID
    $ctrlType = [System.Security.AccessControl.AccessControlType]::Allow
    $rights = [System.DirectoryServices.ActiveDirectoryRights]::WriteProperty -bor [System.DirectoryServices.ActiveDirectoryRights]::ExtendedRight
    $rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($sid, $rights, $ctrlType, $guid)
    $group = Get-ADGroup $_.Group
    $aclPath = "AD:\" + $group.distinguishedName
    $acl = Get-Acl $aclPath
    $acl.AddAccessRule($rule)
    Set-Acl -acl $acl -path $aclPath
}

If it still errors I would try this

Import-Csv -Path "C:\FolderX\FileX.csv" |
ForEach-Object {  
    Set-ADgroup -Identity $_.Group -Managedby Joe.Jones 
    $sid = Get-ADUser -Identity Joe.Jones | select -ExpandProperty SID
    $ctrlType = [System.Security.AccessControl.AccessControlType]::Allow
    $rights = [System.DirectoryServices.ActiveDirectoryRights]::WriteProperty -bor [System.DirectoryServices.ActiveDirectoryRights]::ExtendedRight
    $rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($sid, $rights, $ctrlType)
    $group = Get-ADGroup $_.Group
    $aclPath = "AD:\" + $group.distinguishedName
    $acl = Get-Acl $aclPath
    $acl.AddAccessRule($rule)
    Set-Acl -acl $acl -path $aclPath
}

renoir · November 8, 2022, 10:32pm

krzydoug,
That worked! Ah-Ha-ha!
Your first one worked. I haven’t had a chance to study it all yet, but I will.
This has been a real problem for us for weeks now. And it will sure save us lots of time because last week we needed to do a Bulk Request for over 100 of these.
Many thanks,

krzydoug · November 8, 2022, 11:24pm

That’s wonderful news! Take care

renoir · November 11, 2022, 1:15pm

KrzyDoug, is there a good way to reverse it? How can the check-box be cleared or un-checked?
I tried using Deny in the place of Allow, that did nothing:
$ctrlType = [System.Security.AccessControl.AccessControlType]::Allow

I know the box will clear if the manager is cleared but I want to leave the manager intact.

Maybe I should start a new topic Thanks.

Topic		Replies	Views
UnCheck Box - Manager Can Update Membership List - For a Group - Active Directory PowerShell Help	1	827	February 10, 2024
Checkbox: Manager can update membership list PowerShell Help	2	189	July 9, 2015
Script for MemberLists, Managedby, and Email PowerShell Help	20	218	October 14, 2013
PowerShell script to update Active Directory PowerShell Help	14	96	April 12, 2024
Group Membership Add-Remove based on .csv PowerShell Help	2	159	June 13, 2014

Active Directory - Group Properties - Managed By Tab - "Check The Box" - Manager can update membership list

Guid

SID

Related Topics