In a recent topic: November 7, 2022, Active directory – Group Properties – Managed By Tab – “Check The Box” – Manager can update membership list
….KrzyDoug helped me come up with this script to Check the Box. This works very well:
Import-Csv -Path "C:\FolderX\FileX.csv" |
ForEach-Object {
Set-ADgroup -Identity $_.Group -Managedby Joe.Jones
$guid = [guid]'bf9679c0-0de6-11d0-a285-00aa003049e2'
$sid = Get-ADUser -Identity Joe.Jones | select -ExpandProperty SID
$ctrlType = [System.Security.AccessControl.AccessControlType]::Allow
$rights = [System.DirectoryServices.ActiveDirectoryRights]::WriteProperty -bor [System.DirectoryServices.ActiveDirectoryRights]::ExtendedRight
$rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($sid, $rights, $ctrlType, $guid)
$group = Get-ADGroup $_.Group
$aclPath = "AD:\" + $group.distinguishedName
$acl = Get-Acl $aclPath
$acl.AddAccessRule($rule)
Set-Acl -acl $acl -path $aclPath
}
Now I need to UnCheck the box and leave the “Managed By” intact with the same Joe Jones.
I tried clearing the “Managed By” then reinstating that same Joe Jones, but then the checkmark comes back in the box!
So it seems like the SID of Joe Jones is still out there somewhere?!
How can I get rid of the check in the box and leave Joe Jones in “Managed By”?
Thank you in advance for your help on this.