Posts RSS Comments RSS 253 Posts and 411 Comments till now

Setting the WriteProperty on Members (ManagedBy Check box)

This has come up three times in the last week which triggers my auto blog response 🙂

Below is a function called New-ADAce. This function creates an Access Control Entry that can be applied to an AD Object (in this case the member property of an AD object.)

Basically what the code below does is:

  • Gets the ID object of the Manager
  • Creates ACE that gives the Manager Write access to the member property
  • Gets the Object to be managed
  • Gets the existing ACL
  • Addes the ACE to the ACL
  • Sets the ManagedBy Property to the DN of the Manager
  • Commits the changes
   $myGuid = "bf9679c0-0de6-11d0-a285-00aa003049e2", #GUID for the Members property
   $DN = "cn=jloser,cn=users,dc=corp,dc=lab",
   $domain = $env:UserDomain,
   $manager = "jmanager",
   $MangedByDN = ""cn=jmanager,cn=users,dc=corp,dc=lab""

function New-ADACE {

   $help = @"
      Object Type of the property
      The schema GUID of the object to which the access rule applies.
   $ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($identity,$adRights,$type,$guid)

# Some example code on how to use the New-ADACE function

# Create ACE to add to object
$ID = New-Object System.Security.Principal.NTAccount($domain,$manager)
$newAce = New-ADACE $ID "WriteProperty" "Allow" $myGuid

# Get Object
$ADObject = [ADSI]"LDAP://$DN"

# Set Access Entry on Object

# Set the manageBy property

# Commit changes to the backend

9 Responses to “Setting the WriteProperty on Members (ManagedBy Check box)”

  1. on 17 Dec 2008 at 12:35 pmEric

    Can you explain the various params you define at top?

    $guid – I’d guess this is fixed identifier for the DL.
    $DN = distinguished name for manager or DL?

    Also, instead of ($domain,$manager) for the ID, can I specify the user ID in “domain\manager” format? I am trying to assigned the mailbox’s LinkedMasterAccount the permissions.

  2. on 17 Dec 2008 at 12:51 pmEric

    I’ve just got this working using all native tools.

    $mgrMbx = Get-Mailbox -Identity “Joe User”

    #All my mailboxes use an authentication domain. I assume this could be the mailbox directly.
    $mgrAEA = $mgrMbx.LinkedMasterAccount
    $Group = Get-DistributionGroup -Identity “My Group”

    $Group | Add-ADPermission -User $mgrAEA -AccessRights WriteProperty
    $Group | Set-Group -ManagedBy $mgr

  3. on 17 Dec 2008 at 12:52 pmtshell

    $myGuid is the System-Id-Guid of the attribute you want to add the ACE to.
    $DN is the object you want to set the ACE on.

    You cannot specify the Domain\Account format but you can do something like this.

    Add Parameter for $UserName

    $Domain = $UserName.Split(“\”)[0]
    $Manager = $UserName.Split(“\”)[1]

  4. on 17 Dec 2008 at 12:58 pmtshell

    Yes… Add-ADPermission works, but that is not native. That is a Exchange cmdlet.

    My example is for those not blessed with Exchange 2007

  5. on 17 Dec 2008 at 3:44 pmEric

    Thanks for the help! I’ve updated my blog post and linked back to your’s as an alternative.

  6. on 04 Feb 2009 at 4:47 pmRobbie Foust

    Very useful…I have an immediate need for this. Thanks for blogging it!!!

    – Robbie

  7. on 03 Jul 2009 at 7:18 amRobin

    When I run it on a Windows Server 2008 R2 box I get
    New-Object : Cannot convert argument “3”, with value: “bf9679c0-0de6-11d0-a285-00aa003049e2”, for “ActiveDirectoryAccessRule” to type ”
    System.DirectoryServices.ActiveDirectorySecurityInheritance”: “Cannot convert value “bf9679c0-0de6-11d0-a285-00aa003049e2” to type “Sys
    tem.DirectoryServices.ActiveDirectorySecurityInheritance” due to invalid enumeration values. Specify one of the following enumeration v
    alues and try again. The possible enumeration values are “None, All, Descendents, SelfAndChildren, Children”.”
    At E:\Untitled1.ps1:29 char:21
    + $ACE = New-Object <<<< System.DirectoryServices.ActiveDirectoryAccessRule($identity,$adRights,$type,$guid)
    + CategoryInfo : InvalidOperation: (:) [New-Object], MethodException
    + FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.PowerShell.Commands.NewObjectCommand

    could there be some new requirements in the .Net framework for ActiveDirectoryAccessRule?



  8. on 06 Jul 2009 at 6:58 amtshell

    I haven’t tested this against R2. I will take a look

  9. on 07 Jul 2009 at 3:08 amRobin

    Define the guid as [GUID] seems to do it

    function New-ADACE {

Trackback this post | Feed on Comments to this post

Leave a Reply

You must be logged in to post a comment.