I know this is an old thread, however i believe this solution is the best.
If anyone would like please review the script laid out below.
Thank you
#==============================================================================================================================================
# Created on: 7/9/2015 7:01 AM
# Created by: Jason
# Organization:
# Filename: set-ManagedBy.ps1
# Version: 20150709.01 Original Code creation
# Reference: http://blogs.technet.com/b/blur-lines_-powershell_-author_shirleym/archive/2013/10/07/manager-can-update-membership-list.aspx
#==============================================================================================================================================
#Create initial collection of variable names.
$startupVariables=""
if ($startupvariables) {
try {Remove-Variable -Name startupvariables -Scope Global -ErrorAction SilentlyContinue
}
catch {
}
}
New-Variable -force -name startupVariables -value ( Get-Variable | ForEach-Object { $_.Name } )
Function Clean-Memory {
Get-Variable |
Where-Object { $startupVariables -notcontains $_.Name } |
ForEach-Object {
try { Remove-Variable -Name "$($_.Name)" -Force -Scope "global" -ErrorAction SilentlyContinue -WarningAction SilentlyContinue}
catch { }
}
}
function set-ManagedBy {
[CmdletBinding(DefaultParameterSetName='Managed By Group',
SupportsShouldProcess=$true,
PositionalBinding=$false,
ConfirmImpact='Medium')]
Param
(
# SecurityGroup parameter identifies ad group for which managedBY/Security permissions will be modified.
[Parameter(Mandatory=$true,
ParameterSetName = 'Managed By Group')]
[Parameter(ParameterSetName = 'Managed By User')]
[Parameter(ParameterSetName = 'Clear')]
[ValidateScript({Get-ADGroup -Identity $_ })]
[String]
$SecurityGroup,
# ManagedByGroup parameter used for inserting adgroup in managedBy attribute of a security group.
[Parameter(Mandatory=$false,
ParameterSetName='Managed By Group')]
[ValidateScript({Get-ADGroup -Identity $_ })]
[String]
$ManagedByGroup,
# ManagedByUser parameter used for inserting aduser in managedBy attribute of a security group.
[Parameter(Mandatory=$false,
ParameterSetName='Managed By User')]
[ValidateScript({Get-ADUser -Identity $_ })]
[String]
$ManagedByUser,
[parameter(Mandatory=$False,
ParameterSetName = 'Managed By Group',
HelpMessage="If managerUpdateMembership switch is added, manager has permission to update membership.")]
[Parameter(ParameterSetName = 'Managed By User')]
[switch]$managerUpdateMembership,
[parameter(Mandatory=$False,
ParameterSetName = 'Managed By Group',
HelpMessage="If overwrite switch is added, entry in managedBy is removed from that property as well as access control list.")]
[Parameter(ParameterSetName = 'Managed By User')]
[switch]$overwrite,
[parameter(Mandatory=$False,
ParameterSetName = 'Clear',
HelpMessage="If clear switch is added, managedBY property is set to null.")]
[switch]$clear
)
Begin {
$SecurityGroupObject = (Get-ADGroup -Identity $SecurityGroup -Properties DistinguishedName, ManagedBY, Name, SID)
$aclIdentity = (Get-ADObject $SecurityGroupObject.ManagedBy -Properties canonicalName, SamAccountName)
$aclIdentityReference = (Join-Path -Path ($aclIdentity.CanonicalName.split(".")[0]+'\') -ChildPath $aclIdentity.SamAccountName)
#ACL of group object.
$acl = (Get-acl -Path "AD:$((Get-ADGroup -Identity $SecurityGroupObject).DistinguishedName)")
#GUID of Self Membership attribute. AdsiEdit > Configuration > ExtendedRIghts > SelfMembership
$guid =[guid]'bf9679c0-0de6-11d0-a285-00aa003049e2'
#Rights which will be assigned to new rule
$rights =[System.DirectoryServices.ActiveDirectoryRights]::WriteProperty -bor[System.DirectoryServices.ActiveDirectoryRights]::ExtendedRight
$ctrl =[System.Security.AccessControl.AccessControlType]::Allow
If($ManagedByGroup -ne "") {
$managedBy = (Get-ADGroup -Identity $ManagedByGroup -Properties CanonicalName, SamAccountName, SID -ErrorAction SilentlyContinue)
}
ElseIf ($ManagedByUser -ne "") {
$managedBy = (Get-ADUser -Identity $ManagedByUser -Properties CanonicalName, SamAccountName, SID -ErrorAction SilentlyContinue)
}
Else {
$managedBy = $null
}
If($managedBy -ne $null) {
$managedBySID = New-Object System.Security.Principal.SecurityIdentifier ($managedBy).SID
}
Else {
}
}
Process {
If ($SecurityGroupObject.ManagedBy -eq $null) {
If($clear -eq $true) {
Throw "ManagedBy is null and clear switch was utilized. No change required!"
}
Else {
If($clear -eq $false) {
If($managerUpdateMembership -eq $false) {
$SecurityGroupObject | Set-ADGroup -ManagedBy $managedBy.samAccountName
}
Else {
If($managerUpdateMembership -eq $true) {
$SecurityGroupObject | Set-ADGroup -ManagedBy $managedBy.samAccountName
$rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($managedBySID,$rights,$ctrl,$guid)
$acl.AddAccessRule($rule)
Set-Acl -AclObject $acl -Path "AD:$((Get-ADGroup -Identity $SecurityGroupObject).DistinguishedName)"
}
}
}
}
}
Else {
If($SecurityGroupObject.ManagedBy -ne $null) {
If ($clear -eq $true) {
Foreach($accessControlEntry in $acl.Access.IdentityReference.value){
If($acl.Access.identityreference -eq $aclIdentityReference){
$ace = $acl.Access | where {$_.IdentityReference -eq $aclIdentityReference}
$rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($ace.IdentityReference,$ace.ActiveDirectoryRights,$ace.AccessControlType,$ace.ObjectType)
$acl.RemoveAccessRule($rule) | Out-Null
$SecurityGroupObject | Set-ADGroup -ManagedBy $null
Set-Acl -AclObject $acl -Path "AD:$((Get-ADGroup -Identity $SecurityGroupObject).DistinguishedName)"
$match = $true
}
Else {
if (-not ($match)) {
$SecurityGroupObject | Set-ADGroup -ManagedBy $null
}
}
}
}
Else {
If($clear -eq $false) {
If($overwrite -eq $true) {
If($managerUpdateMembership -eq $true) {
Foreach($accessControlEntry in $acl.Access.IdentityReference.value){
If($acl.Access.identityreference -eq $aclIdentityReference){
$ace = $acl.Access | where {$_.IdentityReference -eq $aclIdentityReference}
$rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($ace.IdentityReference,$ace.ActiveDirectoryRights,$ace.AccessControlType,$ace.ObjectType)
$acl.RemoveAccessRule($rule) | Out-Null
$match = $true
$SecurityGroupObject | Set-ADGroup -ManagedBy $managedBy.samAccountName
$rule1 = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($managedBySID,$rights,$ctrl,$guid)
$acl.AddAccessRule($rule1)
}
Else {
if (-not ($match)) {
$SecurityGroupObject | Set-ADGroup -ManagedBy $managedBy.samAccountName
$rule1 = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($managedBySID,$rights,$ctrl,$guid)
$acl.AddAccessRule($rule1)
}
}
}
Set-Acl -AclObject $acl -Path "AD:$((Get-ADGroup -Identity $SecurityGroupObject).DistinguishedName)"
}
Else {
If($managerUpdateMembership -eq $false) {
Foreach($accessControlEntry in $acl.Access.IdentityReference.value){
If($acl.Access.identityreference -eq $aclIdentityReference){
$ace = $acl.Access | where {$_.IdentityReference -eq $aclIdentityReference}
$rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($ace.IdentityReference,$ace.ActiveDirectoryRights,$ace.AccessControlType,$ace.ObjectType)
$acl.RemoveAccessRule($rule) | Out-Null
Set-Acl -AclObject $acl -Path "AD:$((Get-ADGroup -Identity $SecurityGroupObject).DistinguishedName)"
$match = $true
$SecurityGroupObject | Set-ADGroup -ManagedBy $managedBy.samAccountName
}
Else {
if (-not ($match)) {
$SecurityGroupObject | Set-ADGroup -ManagedBy $managedBy.samAccountName
}
}
}
}
}
}
Else {
If ($overwrite -eq $false) {
Throw "ManagedBy is populated, overwrite or clear switch was not utilized. Review managedBy property of security group!"
}
}
}
}
}
}
}
End {
}
}
Clean-Memory