Changing 'Managed By' user on multiple AD groups

Posted on 2010-09-15
Medium Priority
Last Modified: 2013-12-19

I have around 130 groups in AD (2003) which I need to change "Managed By" attribute for each group. Rather that do this manually and select the user for each group, does anyone know how I can do this for multiple groups at a time?

I've had a look at some utilities such as ADO++ and Hyena, but neither let me change the "Managed By" attribute.

Question by:HoricePlant

Expert Comment

ID: 33681328
you can do this by using the ldife command.

have a read of this post by someone asking a similiar question to you.

Expert Comment

ID: 33681340

you can do this with the command line tool dsacls.exe
An example to set permissions to groups:
dsacls DN-to-the-target-group  /G  the-manager-group:RPWP;member;

I found an article to this:
LVL 22

Expert Comment

by:Joseph Moody
ID: 33681440
Below is a VBS logoff script that I use. It writes the last logged in user to the managed by description.
I can very quickly and easily see where someone was logged in and it allows me to see what users use what computers.
For real time results, you could make it a logon script.

Set objSysInfo = CreateObject("ADSystemInfo") 
Set objComputer = GetObject("LDAP://" & objSysInfo.ComputerName) 
objComputer.Put "managedBy", objSysInfo.Username 

Open in new window

WEBINAR: GDPR Implemented - Tips & Lessons Learned

Join the WatchGuard team on Thursday, March 29th as we recount some valuable lessons learned in weighing the needs of a business against the new regulatory environment, look ahead at the two months left before implementation, and help you understand the steps you can take today!


Author Comment

ID: 33683393
Thanks for the suggestions so far. I'm currently looking into each one to see which suits best.

Author Comment

ID: 33689485
Hi - unless I've understood incorrectly (which is always possible!)...

LDIFE (or LDIFDE in Windows Server 2003) looks like it's only used for importing and exporting LDAP data, rather than modifying the "Managed By" property of the object.

DSACLS is used to set security on object properties rather than actually setting the property value (i.e. I would be able to change the security permissions for who could alter the "Telephone Number" field of an object, rather that set the telephone number itself). Plus, I couldn't see the "Managed By" property was supported?

JMoody10 - I'm too good with VBS, but would you be able to advise if VBS could be used to set the "Managed By" property of an AD group? For example, using the domain microsoft.com and the group name A_TEST, I'd like to set the Managed By field to the user "jsmith"?

Author Comment

ID: 33689494
Sorry - my last comment (last paragraph) should be started "I'm NOT too good with VBS..."!!!

Author Comment

ID: 33689754
Okay - I've discovered the answer myself. Found a program called ADModify, which can change any attribute / property of an object in AD and supports bulk changes. It has both a GUI interface (requires .Net 2.0) or you can use command line.

Link to Microsoft site for ADModify:


Accepted Solution

ee_auto earned 0 total points
ID: 34171274
Question PAQ'd and stored in the solution database.

Featured Post

Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

If you try to migrate from Elastix to Issabel, you will face a lot of issues. These problems are inevitable but fortunately, you can fix them. In the guide below, I will explain how I performed the migration while keeping all data and successfully t…
Native ability to set a user account password via AD GPO was removed because the passwords can be easily decrypted by any authenticated user in the domain. Microsoft recommends LAPS as a replacement and I have written an article that does something …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Planning to migrate your EDB file(s) to a new or an existing Outlook PST file? This video will guide you how to convert EDB file(s) to PST. Besides this, it also describes, how one can easily search any item(s) from multiple folders or mailboxes…

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question