Setting AD Group Managers with PowerShell

From time to time you may want to deligate control of an AD security group to an unprivileged user. Business people like this because it allows them to be in control of resources they consume, IT people like this because we don't have to handle support tickets to add people to a group. Ok, we can all agree that this may be a good idea; now lets say you want to automate this process. PowerShell has great AD integration and if that doesn't work it's just LDAP right? Well kind of, I'll show you what I mean by that.


TLDR; Here's some code to do that.


The group manager property is an LDAP property on the group object that contains the Distinguished Name of a given user account. This is a property we can in fact set quite easily using the ActiveDirectory module for PowerShell:

$mgr = Get-AdUser -Filter {Name -like "SuperAwesomeUser"} 
$group = Get-AdGroup -Filter {Name -like "Group for Things"} -Properties ManagedBy
$group | Set-AdGroup -ManagedBy "$($mgr.DistinguishedName)"


This will set the ManagedBy property on the desired group object but you've still got a problem, that pesky little checkbox.


AD Group Manager

That checkbox does exactly as it's title suggests, allows the group manager to modify who is a member of this group. It's not an LDAP property with a boolean type, that would be too simple and not line up with the Microsoft security management methodology, it's implemented as an Access Control Entry (ACE) in the objects Discretionary Access Control Li (DACL). Think of it like the permissions when looking at the Security tab for a file. These can be manipulated programatically but that's not included in a any PowerShell module that I can find.

There are plenty of examples on how to manipulate a DACL but many of them do it through COM objects. This is PowerShell so we have all of .Net at our finger tips. After some scouring I found an example on Technet of someone needing to check that box programatically and got a very nice answer from TAAdams which implements this as a C# command line app. 

I took that example and stripped it to its bare essentials:

de = srch.FindOne().GetDirectoryEntry(); 
de.InvokeSet("managedBy", new object[] { mgr.Properties["distinguishedName"][0] as string });
adrule = new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.WriteProperty, AccessControlType.Allow, new Guid("bf9679c0-0de6-11d0-a285-00aa003049e2"));
de.ObjectSecurity.AddAccessRule(adrule); de.CommitChanges();

This does a search to get a DirectoryEntry object, this is the type returned by an ADSI query so we've got that covered. They then set the "managedBy" property, we can do that with Set-AdGroup. After that it creates a new ACE and adds it to the DACL, we've got access to those classes in PowerShell so we can do that too. In the end this mapped better to PowerShell than to C# as the search and AD object manipulation facilities are nicer in PS. Here's my implementation:

I hope you can get some use out of this. As always, if you have suggestions for improvement, you can find me through my contact page. Happy hacking.