How can I use ADSI to allow a group manager to update membership list?

I'm using VBA (Excel) to script the creation of 100+ universal distribution groups.  What I have now (below) just does one - I kinda wanna get it right first :).  There is one big problem.  We have it set so that only the group manager can update membership lists, and that means that the manager can only do that if the "Manager can update membership list" checkbox is checked on the "Managed By" tab of the group.  By default, this is not checked.  I have googled so much my fingers are bleeding, but I can't find out how to script the checking of this box...  I HAVE found code that will tell me whether or not the manager can update the membership list, but it looks pretty complicated.  I'm guessing this is not just a single object property.  An explaination of how to set this "property" would be greatly appreciated.

Here's what I have so far:
Option Explicit
Public Sub create_group()

    Dim strOU, strNewGroup, strNewGroupLong, strDNSDomain
    Dim objOU, objGroup, objRootDSE
    Dim strManagedBy

    ' Make sure the OU referenced by strOU exists
    strOU = "OU=MIDWEST ,"
    strNewGroup = "RIGHTCHOICE"
    strNewGroupLong = "CN=" & strNewGroup

    ' Bind to Active Directory
    Set objRootDSE = GetObject("LDAP://RootDSE")
    strDNSDomain = objRootDSE.Get("DefaultNamingContext")

    ' Create new Group
    Set objOU = GetObject("LDAP://" & strOU & strDNSDomain)
    Set objGroup = objOU.Create("Group", strNewGroupLong)
    objGroup.put "sAMAccountName", strNewGroup

    ' Here is where you set the group Type and Scope
    objGroup.put "groupType", ADS_GROUP_TYPE_UNIVERSAL_GROUP
    strManagedBy = "CN=Joe Blow,OU=Users,OU=MIDWEST,DC=WWW,DC=MYSITE,DC=NET"
    objGroup.put "managedBy", strManagedBy
End Sub

This script creates a group called RIGHTCOICE in my MIDWEST OU, with Joe Blow as the manager.  Perfect!  Now all I need to do check that box that says "Manager can update membership list."  Any help?  Thanks!
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Yeah, took me a while to get this too.  I can't find my code right off, but I think I can explain it well enough.

That checkbox is controlled by the "write" property in the ACL for that group.  So upon writing the "ManagedBy" property, also write an ACL with the write property.

If I find my code, I'll post it, but do a google on writing an ACL to a group and you should be able to find numerous coding examples.  The hardest part (that is almost nowhere to be found) is knowing that the checkbox is tied to the write permissions.  Here's Microsofts link which states what I just said:

Hope that helps!


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
LKQMISAuthor Commented:
I found out how to add the ACL to the group for the user, but I can't find the correct access mask to only tick the "Write Members" property.  All I've been able to do is tick ALL "Write" properties.  This is not what I want to do.  I've spent far too much time trying to figure this out.  Points upped to 225 for anyone who can provide me with the code that will write the correct ACL for the manager to be able to alter the membership list.
LKQMISAuthor Commented:
I've decided to award points to mpemberton5 because while he did not actually answer my question, he did point me in the right direction and I was able to figure it out myself (well.. sort of).  See, I was not able to come up with a way to build the ACE for the manager - I just couldn't find the access mask.  Instead, what I did was create a dummy group, set it up the way I wanted it, and copied the ACE from it to the new group.  A cheap hack, but a solution nonetheless XD

I'd also like to point out that to mail-enable a new group, it's as simple as the rest of it was difficult.  All you do is:


I hope this thread can help others just starting out in AD scripting.
Found something.  This "lists" the information on the "managed by" users, as well as checks if they have the ability to update the member list.  It should provide you with what you need to define the ACE correctly.

I'd attempt it myself, but I've burnt too many hours today on this (mostly for curiosity), and need to do some job related work. :)

Let me know how it works for you.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Fonts Typography

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.