Solved

Changing 'Managed By' user on multiple AD groups

Posted on 2010-09-15
9
3,150 Views
Last Modified: 2013-12-19
Hi,

I have around 130 groups in AD (2003) which I need to change "Managed By" attribute for each group. Rather that do this manually and select the user for each group, does anyone know how I can do this for multiple groups at a time?

I've had a look at some utilities such as ADO++ and Hyena, but neither let me change the "Managed By" attribute.

Thanks
0
Comment
Question by:HoricePlant
9 Comments
 
LVL 5

Expert Comment

by:chqshaitan
ID: 33681328
you can do this by using the ldife command.

have a read of this post by someone asking a similiar question to you.
0
 
LVL 3

Expert Comment

by:EichhornH
ID: 33681340
Hello,

you can do this with the command line tool dsacls.exe
An example to set permissions to groups:
dsacls DN-to-the-target-group  /G  the-manager-group:RPWP;member;

I found an article to this:
http://technet.microsoft.com/en-us/magazine/2007.02.activedirectory.aspx
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 33681440
Below is a VBS logoff script that I use. It writes the last logged in user to the managed by description.
I can very quickly and easily see where someone was logged in and it allows me to see what users use what computers.
For real time results, you could make it a logon script.

Set objSysInfo = CreateObject("ADSystemInfo") 

Set objComputer = GetObject("LDAP://" & objSysInfo.ComputerName) 

 

objComputer.Put "managedBy", objSysInfo.Username 

objComputer.SetInfo

Open in new window

0
 

Author Comment

by:HoricePlant
ID: 33683393
Thanks for the suggestions so far. I'm currently looking into each one to see which suits best.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:HoricePlant
ID: 33689485
Hi - unless I've understood incorrectly (which is always possible!)...

LDIFE (or LDIFDE in Windows Server 2003) looks like it's only used for importing and exporting LDAP data, rather than modifying the "Managed By" property of the object.

DSACLS is used to set security on object properties rather than actually setting the property value (i.e. I would be able to change the security permissions for who could alter the "Telephone Number" field of an object, rather that set the telephone number itself). Plus, I couldn't see the "Managed By" property was supported?

JMoody10 - I'm too good with VBS, but would you be able to advise if VBS could be used to set the "Managed By" property of an AD group? For example, using the domain microsoft.com and the group name A_TEST, I'd like to set the Managed By field to the user "jsmith"?
0
 

Author Comment

by:HoricePlant
ID: 33689494
Sorry - my last comment (last paragraph) should be started "I'm NOT too good with VBS..."!!!
0
 

Author Comment

by:HoricePlant
ID: 33689754
Okay - I've discovered the answer myself. Found a program called ADModify, which can change any attribute / property of an object in AD and supports bulk changes. It has both a GUI interface (requires .Net 2.0) or you can use command line.

Link to Microsoft site for ADModify:
http://technet.microsoft.com/en-us/library/aa996216%28EXCHG.65%29.aspx

0
 

Accepted Solution

by:
ee_auto earned 0 total points
ID: 34171274
Question PAQ'd and stored in the solution database.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

912 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now