[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


How can I use ADSI to allow a group manager to update membership list?

Posted on 2006-03-24
Medium Priority
Last Modified: 2013-12-03
I'm using VBA (Excel) to script the creation of 100+ universal distribution groups.  What I have now (below) just does one - I kinda wanna get it right first :).  There is one big problem.  We have it set so that only the group manager can update membership lists, and that means that the manager can only do that if the "Manager can update membership list" checkbox is checked on the "Managed By" tab of the group.  By default, this is not checked.  I have googled so much my fingers are bleeding, but I can't find out how to script the checking of this box...  I HAVE found code that will tell me whether or not the manager can update the membership list, but it looks pretty complicated.  I'm guessing this is not just a single object property.  An explaination of how to set this "property" would be greatly appreciated.

Here's what I have so far:
Option Explicit
Public Sub create_group()

    Dim strOU, strNewGroup, strNewGroupLong, strDNSDomain
    Dim objOU, objGroup, objRootDSE
    Dim strManagedBy

    ' Make sure the OU referenced by strOU exists
    strOU = "OU=MIDWEST ,"
    strNewGroup = "RIGHTCHOICE"
    strNewGroupLong = "CN=" & strNewGroup

    ' Bind to Active Directory
    Set objRootDSE = GetObject("LDAP://RootDSE")
    strDNSDomain = objRootDSE.Get("DefaultNamingContext")

    ' Create new Group
    Set objOU = GetObject("LDAP://" & strOU & strDNSDomain)
    Set objGroup = objOU.Create("Group", strNewGroupLong)
    objGroup.put "sAMAccountName", strNewGroup

    ' Here is where you set the group Type and Scope
    objGroup.put "groupType", ADS_GROUP_TYPE_UNIVERSAL_GROUP
    strManagedBy = "CN=Joe Blow,OU=Users,OU=MIDWEST,DC=WWW,DC=MYSITE,DC=NET"
    objGroup.put "managedBy", strManagedBy
End Sub

This script creates a group called RIGHTCOICE in my MIDWEST OU, with Joe Blow as the manager.  Perfect!  Now all I need to do check that box that says "Manager can update membership list."  Any help?  Thanks!
Question by:LKQMIS
  • 2
  • 2

Accepted Solution

mpemberton5 earned 675 total points
ID: 16282835
Yeah, took me a while to get this too.  I can't find my code right off, but I think I can explain it well enough.

That checkbox is controlled by the "write" property in the ACL for that group.  So upon writing the "ManagedBy" property, also write an ACL with the write property.

If I find my code, I'll post it, but do a google on writing an ACL to a group and you should be able to find numerous coding examples.  The hardest part (that is almost nowhere to be found) is knowing that the checkbox is tied to the write permissions.  Here's Microsofts link which states what I just said:

Hope that helps!


Author Comment

ID: 16292008
I found out how to add the ACL to the group for the user, but I can't find the correct access mask to only tick the "Write Members" property.  All I've been able to do is tick ALL "Write" properties.  This is not what I want to do.  I've spent far too much time trying to figure this out.  Points upped to 225 for anyone who can provide me with the code that will write the correct ACL for the manager to be able to alter the membership list.

Author Comment

ID: 16303429
I've decided to award points to mpemberton5 because while he did not actually answer my question, he did point me in the right direction and I was able to figure it out myself (well.. sort of).  See, I was not able to come up with a way to build the ACE for the manager - I just couldn't find the access mask.  Instead, what I did was create a dummy group, set it up the way I wanted it, and copied the ACE from it to the new group.  A cheap hack, but a solution nonetheless XD

I'd also like to point out that to mail-enable a new group, it's as simple as the rest of it was difficult.  All you do is:


I hope this thread can help others just starting out in AD scripting.

Expert Comment

ID: 16304178
Found something.  This "lists" the information on the "managed by" users, as well as checks if they have the ability to update the member list.  It should provide you with what you need to define the ACE correctly.


I'd attempt it myself, but I've burnt too many hours today on this (mostly for curiosity), and need to do some job related work. :)

Let me know how it works for you.


Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re thinking to yourself “That description sounds a lot like two people doing the work that one could accomplish,” you’re not alone.
Q&A with Course Creator, Mark Lassoff, on the importance of HTML5 in the career of a modern-day developer.
In this fifth video of the Xpdf series, we discuss and demonstrate the PDFdetach utility, which is able to list and, more importantly, extract attachments that are embedded in PDF files. It does this via a command line interface, making it suitable …
Six Sigma Control Plans

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question