Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Changing 'Managed By' user on multiple AD groups

Posted on 2010-09-15
9
3,239 Views
Last Modified: 2013-12-19
Hi,

I have around 130 groups in AD (2003) which I need to change "Managed By" attribute for each group. Rather that do this manually and select the user for each group, does anyone know how I can do this for multiple groups at a time?

I've had a look at some utilities such as ADO++ and Hyena, but neither let me change the "Managed By" attribute.

Thanks
0
Comment
Question by:HoricePlant
9 Comments
 
LVL 5

Expert Comment

by:chqshaitan
ID: 33681328
you can do this by using the ldife command.

have a read of this post by someone asking a similiar question to you.
0
 
LVL 3

Expert Comment

by:EichhornH
ID: 33681340
Hello,

you can do this with the command line tool dsacls.exe
An example to set permissions to groups:
dsacls DN-to-the-target-group  /G  the-manager-group:RPWP;member;

I found an article to this:
http://technet.microsoft.com/en-us/magazine/2007.02.activedirectory.aspx
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 33681440
Below is a VBS logoff script that I use. It writes the last logged in user to the managed by description.
I can very quickly and easily see where someone was logged in and it allows me to see what users use what computers.
For real time results, you could make it a logon script.

Set objSysInfo = CreateObject("ADSystemInfo") 
Set objComputer = GetObject("LDAP://" & objSysInfo.ComputerName) 
 
objComputer.Put "managedBy", objSysInfo.Username 
objComputer.SetInfo

Open in new window

0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:HoricePlant
ID: 33683393
Thanks for the suggestions so far. I'm currently looking into each one to see which suits best.
0
 

Author Comment

by:HoricePlant
ID: 33689485
Hi - unless I've understood incorrectly (which is always possible!)...

LDIFE (or LDIFDE in Windows Server 2003) looks like it's only used for importing and exporting LDAP data, rather than modifying the "Managed By" property of the object.

DSACLS is used to set security on object properties rather than actually setting the property value (i.e. I would be able to change the security permissions for who could alter the "Telephone Number" field of an object, rather that set the telephone number itself). Plus, I couldn't see the "Managed By" property was supported?

JMoody10 - I'm too good with VBS, but would you be able to advise if VBS could be used to set the "Managed By" property of an AD group? For example, using the domain microsoft.com and the group name A_TEST, I'd like to set the Managed By field to the user "jsmith"?
0
 

Author Comment

by:HoricePlant
ID: 33689494
Sorry - my last comment (last paragraph) should be started "I'm NOT too good with VBS..."!!!
0
 

Author Comment

by:HoricePlant
ID: 33689754
Okay - I've discovered the answer myself. Found a program called ADModify, which can change any attribute / property of an object in AD and supports bulk changes. It has both a GUI interface (requires .Net 2.0) or you can use command line.

Link to Microsoft site for ADModify:
http://technet.microsoft.com/en-us/library/aa996216%28EXCHG.65%29.aspx

0
 

Accepted Solution

by:
ee_auto earned 0 total points
ID: 34171274
Question PAQ'd and stored in the solution database.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
As technology users and professionals, we’re always learning. Our universal interest in advancing our knowledge of the trade is unmatched by most industries. It’s a curiosity that makes sense, given the climate of change. Within that, there lies a…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question