Setting the WriteProperty on Members (ManagedBy Check box)
This has come up three times in the last week which triggers my auto blog response 
Below is a function called New-ADAce. This function creates an Access Control Entry that can be applied to an AD Object (in this case the member property of an AD object.)
Basically what the code below does is:
- Gets the ID object of the Manager
- Creates ACE that gives the Manager Write access to the member property
- Gets the Object to be managed
- Gets the existing ACL
- Addes the ACE to the ACL
- Sets the ManagedBy Property to the DN of the Manager
- Commits the changes
$myGuid = "bf9679c0-0de6-11d0-a285-00aa003049e2", #GUID for the Members property
$DN = "cn=jloser,cn=users,dc=corp,dc=lab",
$domain = $env:UserDomain,
$manager = "jmanager",
$MangedByDN = ""cn=jmanager,cn=users,dc=corp,dc=lab""
)
function New-ADACE {
Param([System.Security.Principal.IdentityReference]$identity,
[System.DirectoryServices.ActiveDirectoryRights]$adRights,
[System.Security.AccessControl.AccessControlType]$type,
$Guid)
$help = @"
$identity
System.Security.Principal.IdentityReference
http://msdn.microsoft.com/en-us/library/system.security.principal.ntaccount.aspx
$adRights
System.DirectoryServices.ActiveDirectoryRights
http://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectoryrights.aspx
$type
System.Security.AccessControl.AccessControlType
http://msdn.microsoft.com/en-us/library/w4ds5h86(VS.80).aspx
$Guid
Object Type of the property
The schema GUID of the object to which the access rule applies.
"@
$ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($identity,$adRights,$type,$guid)
$ACE
}
# Some example code on how to use the New-ADACE function
# Create ACE to add to object
$ID = New-Object System.Security.Principal.NTAccount($domain,$manager)
$newAce = New-ADACE $ID "WriteProperty" "Allow" $myGuid
# Get Object
$ADObject = [ADSI]"LDAP://$DN"
# Set Access Entry on Object
$ADObject.psbase.ObjectSecurity.SetAccessRule($newAce)
# Set the manageBy property
$ADObject.Put("managedBy",$MangedByDN)
# Commit changes to the backend
$ADObject.psbase.commitchanges()
Can you explain the various params you define at top?
$guid – I’d guess this is fixed identifier for the DL.
$DN = distinguished name for manager or DL?
Also, instead of ($domain,$manager) for the ID, can I specify the user ID in “domain\manager” format? I am trying to assigned the mailbox’s LinkedMasterAccount the permissions.
I’ve just got this working using all native tools.
$mgrMbx = Get-Mailbox -Identity “Joe User”
#All my mailboxes use an authentication domain. I assume this could be the mailbox directly.
$mgrAEA = $mgrMbx.LinkedMasterAccount
$Group = Get-DistributionGroup -Identity “My Group”
$Group | Add-ADPermission -User $mgrAEA -AccessRights WriteProperty
$Group | Set-Group -ManagedBy $mgr
$myGuid is the System-Id-Guid of the attribute you want to add the ACE to.
$DN is the object you want to set the ACE on.
You cannot specify the Domain\Account format but you can do something like this.
Add Parameter for $UserName
$Domain = $UserName.Split(”\”)[0]
$Manager = $UserName.Split(”\”)[1]
Yes… Add-ADPermission works, but that is not native. That is a Exchange cmdlet.
My example is for those not blessed with Exchange 2007
Thanks for the help! I’ve updated my blog post and linked back to your’s as an alternative.
Very useful…I have an immediate need for this. Thanks for blogging it!!!
- Robbie