asked on

How can I use ADSI to allow a group manager to update membership list?

I'm using VBA (Excel) to script the creation of 100+ universal distribution groups. What I have now (below) just does one - I kinda wanna get it right first :). There is one big problem. We have it set so that only the group manager can update membership lists, and that means that the manager can only do that if the "Manager can update membership list" checkbox is checked on the "Managed By" tab of the group. By default, this is not checked. I have googled so much my fingers are bleeding, but I can't find out how to script the checking of this box... I HAVE found code that will tell me whether or not the manager can update the membership list, but it looks pretty complicated. I'm guessing this is not just a single object property. An explaination of how to set this "property" would be greatly appreciated.

Here's what I have so far:
------------------------------------------------------------------------
Option Explicit
------------------------------------------------------------------------
Public Sub create_group()

Dim strOU, strNewGroup, strNewGroupLong, strDNSDomain
Dim objOU, objGroup, objRootDSE
Dim strManagedBy

Const ADS_GROUP_TYPE_UNIVERSAL_GROUP = &H8

' Make sure the OU referenced by strOU exists
strOU = "OU=MIDWEST ,"
strNewGroup = "RIGHTCHOICE"
strNewGroupLong = "CN=" & strNewGroup

' Bind to Active Directory
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")

' Create new Group
Set objOU = GetObject("LDAP://" & strOU & strDNSDomain)
Set objGroup = objOU.Create("Group", strNewGroupLong)
objGroup.put "sAMAccountName", strNewGroup

' Here is where you set the group Type and Scope
objGroup.put "groupType", ADS_GROUP_TYPE_UNIVERSAL_GROUP

strManagedBy = "CN=Joe Blow,OU=Users,OU=MIDWEST,DC=WWW,DC=MYSITE,DC=NET"
objGroup.put "managedBy", strManagedBy
objGroup.setInfo

End Sub
------------------------------------------------------------------------

This script creates a group called RIGHTCOICE in my MIDWEST OU, with Joe Blow as the manager. Perfect! Now all I need to do check that box that says "Manager can update membership list." Any help? Thanks!

ASKER CERTIFIED SOLUTION

mpemberton5

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

LKQMIS

ASKER

I found out how to add the ACL to the group for the user, but I can't find the correct access mask to only tick the "Write Members" property. All I've been able to do is tick ALL "Write" properties. This is not what I want to do. I've spent far too much time trying to figure this out. Points upped to 225 for anyone who can provide me with the code that will write the correct ACL for the manager to be able to alter the membership list.

LKQMIS

ASKER

I've decided to award points to mpemberton5 because while he did not actually answer my question, he did point me in the right direction and I was able to figure it out myself (well.. sort of). See, I was not able to come up with a way to build the ACE for the manager - I just couldn't find the access mask. Instead, what I did was create a dummy group, set it up the way I wanted it, and copied the ACE from it to the new group. A cheap hack, but a solution nonetheless XD

I'd also like to point out that to mail-enable a new group, it's as simple as the rest of it was difficult. All you do is:

objGroup.MailEnable

I hope this thread can help others just starting out in AD scripting.

mpemberton5

Found something. This "lists" the information on the "managed by" users, as well as checks if they have the ability to update the member list. It should provide you with what you need to define the ACE correctly.

http://www.microsoft.com/technet/scriptcenter/scripts/ad/groups/adgpvb20.mspx

I'd attempt it myself, but I've burnt too many hours today on this (mostly for curiosity), and need to do some job related work. :)

Let me know how it works for you.

Thanks