Modify powershell script

Hello,

I need help in modifying this script to include "Manager Can Update Membership List", if the box is checked or not, in the report as well.

"ADLgroup1", "ADLgroup2", "ADLgroup3", "ADLgroup4" |
 foreach {
 $group = Get-ADGroup -Identity $_ -Properties ManagedBy
}
Parity123Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jeremy WeisingerSenior Network Consultant / EngineerCommented:
What you're looking for is not a property but a permission which makes things a little more complicated but completely doable. Try this. I haven't tested it and you'll need to modify the output but it should get you what you need:
"ADLgroup1", "ADLgroup2", "ADLgroup3", "ADLgroup4" |
 foreach {
 $group = Get-ADGroup -Identity $_ -Properties ManagedBy
 $grpdn = $group.DistinguishedName
 $mgr = $group.ManagedBy
 $domainDN = ($mgr.split(",") | ? {$_.Contains('DC=')}) -join ','
 $netbiosDomain = (Get-ADDomain $domainDN).NetBIOSName
 $mgrnetbios = $netbiosDomain + '\' + (Get-ADUser $mgr).SamAccountName
 $acl = Get-Acl AD:"$grpdn"
 $isCheckbox = If($acl.Access | ? {$_.ObjectType -eq 'bf9679c0-0de6-11d0-a285-00aa003049e2' -and $_.IdentityReference -eq "$mgrnetbios"}){$true}else{$false}
 Write-Host $group.name " is managed by " + $mgrnetbios
 Write-Host 'The box is checked: ' + $isCheckbox
}

Open in new window

0
Parity123Author Commented:
Awesome!!!!. It works. If I wanted just one more change to this, could you help.

If the box is not checked, I want to check the box for "Manager Can Update Membership List"
0
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
There's a few examples on the web. I found this one and put it into a function:
http://blogs.technet.com/b/blur-lines_-powershell_-author_shirleym/archive/2013/10/07/manager-can-update-membership-list.aspx

This script will list the manager and, if not checked, give the permissions to update the list.

function Set-MgrCanUpdateList{
    Param(
        $UserNetBIOSName,
        $GroupDN
        )

    $guid =[guid]'bf9679c0-0de6-11d0-a285-00aa003049e2'
    $user = New-Object System.Security.Principal.NTAccount($UserNetBIOSName)
    $sid =$user.translate([System.Security.Principal.SecurityIdentifier])
    $acl = Get-Acl ad:"$GroupDN"
    $ctrl =[System.Security.AccessControl.AccessControlType]::Allow
    $rights =[System.DirectoryServices.ActiveDirectoryRights]::WriteProperty -bor[System.DirectoryServices.ActiveDirectoryRights]::ExtendedRight
    $rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($sid,$rights,$ctrl,$guid)
    $acl.AddAccessRule($rule)
    Set-Acl -acl $acl -path ad:"$GroupDN"
    }

"ADLgroup1", "ADLgroup2", "ADLgroup3", "ADLgroup4" |
 foreach {
 $group = Get-ADGroup -Identity $_ -Properties ManagedBy
 $grpdn = $group.DistinguishedName
 $mgr = $group.ManagedBy
 $domainDN = ($mgr.split(",") | ? {$_.Contains('DC=')}) -join ','
 $netbiosDomain = (Get-ADDomain $domainDN).NetBIOSName
 $mgrnetbios = $netbiosDomain + '\' + (Get-ADUser $mgr).SamAccountName
 $acl = Get-Acl AD:"$grpdn"
 If(!($acl.Access | ? {$_.ObjectType -eq 'bf9679c0-0de6-11d0-a285-00aa003049e2' -and $_.IdentityReference -eq "$mgrnetbios"})){Set-MgrCanUpdateList -UserNetBIOSName $mgrnetbios -GroupDN $grpdn}
 Write-Host $group.name " is managed by " + $mgrnetbios
}

Open in new window

0
ON-DEMAND: 10 Easy Ways to Lose a Password

Learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees in this on-demand webinar. We cover the importance of multi-factor authentication and how these solutions can better protect your business!

Parity123Author Commented:
Excellent. One last question on this topic is that if I wanted to clear the checkbox, would the following
change work.

$acl.AddAccessRule($rule)  to $acl.RemoveAccessRule($rule)
0
Parity123Author Commented:
I am getting an error on the following line when running for a remote domain, when checking for "Manager can update membership list", (and the ManagedBy value is retrieved correctly).

 $acl = Get-Acl AD:"$grpdn"   (referral error). I checked the value for grpdn and the value is correct. It works fine for the logged on domain.



$arrdomains = "testdomain1,testdomain2"
foreach ($domain in $arrdomains) {

$netbiosdomain = (Get-Addomain $domain).NetbiosName

write-host $netbiosdomain
$leftdomain = $domain.substring(0,$domain.indexof(".")).ToUpper()
write-host "Left domain: $leftdomain"
"FGPP-", "FGPP-" |
 foreach {
  $groupName = $_+$leftdomain
 write-host $groupName
 $group = Get-ADGroup -Identity $groupName -Server $domain -Properties ManagedBy
 $grpdn = $group.DistinguishedName
  write-host "Group DN: $grpDN"
 $mgr = $group.ManagedBy
 #$domainDN = ($mgr.split(",") | ? {$_.Contains('DC=')}) -join ','
 #$netbiosDomain = (Get-ADDomain $domainDN).NetBIOSName
 $mgrnetbios = $netbiosDomain + '\' + (Get-ADUser $mgr).SamAccountName
 $acl = Get-Acl AD:"$grpdn"
 If(!($acl.Access | ? {$_.ObjectType -eq 'bf9679c0-0de6-11d0-a285-00aa003049e2' -and $_.IdentityReference -eq "$mgrnetbios"})){write-host " box is checked"}
 Write-Host $group.name " is managed by " + $mgrnetbios
}


}
0
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
would the following
change work.

$acl.AddAccessRule($rule)  to $acl.RemoveAccessRule($rule)
Yes, that should work to remove the checkbox.

I am getting an error on the following line when running for a remote domain
Remote domain, eh? OK, so I'm using the the default AD PSDrive to set the ACE in the ACL. What you can do is map a drive to the remote domain and work against that for changing the permissions:
New-PSDrive -Name RemoteAD -PSProvider ActiveDirectory -Credential (Get-Credential) -Root //RootDSE/ -Server remoteDC.domain.com:389

Open in new window


Then in the script you would reference RemoteAD:"DN..." instead of AD:"DN...".
Let me know if you need help with modifying the function.
0
Parity123Author Commented:
Yes please, I would need some help in modifying the function. My logged in account has access to all the domains in the forest. No need to prompt for credentials for remote domains.
0
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
Sorry for the delay. Work and life. ;)

So this should work to  get the info from other domains in the forest. I assume you're using the server parameter for the Get-ADGroup cmdlet. You'll need to continue to do that so modify it accordingly. But I have written it so that any subsequent queries will go to the proper domain. This script also assumes that the manager is in the same domain as the group its managing. If that is not the case then the script will need to be tweaked to account for that.

function Set-MgrCanUpdateList{
    Param(
        $UserNetBIOSName,
        $GroupDN
        )

    $guid =[guid]'bf9679c0-0de6-11d0-a285-00aa003049e2'
    $user = New-Object System.Security.Principal.NTAccount($UserNetBIOSName)
    $sid =$user.translate([System.Security.Principal.SecurityIdentifier])
    $ctrl =[System.Security.AccessControl.AccessControlType]::Allow
    $rights =[System.DirectoryServices.ActiveDirectoryRights]::WriteProperty -bor[System.DirectoryServices.ActiveDirectoryRights]::ExtendedRight
    $rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($sid,$rights,$ctrl,$guid)
    $acl.AddAccessRule($rule)
    Set-Acl -acl $acl -path WorkingAD:"$GroupDN"
    }

"ADLgroup1", "ADLgroup2", "ADLgroup3", "ADLgroup4" |
 foreach {
 $group = Get-ADGroup -Identity $_ -Properties ManagedBy 
 $grpdn = $group.DistinguishedName
 $mgr = $group.ManagedBy
 $domainDN = ($mgr.split(",") | ? {$_.Contains('DC=')}) -join ','
 $DNSRootDomain = (($grpdn.Split(',') | ? {$_.Contains('DC=')}) -join '.').Replace('DC=','')
 $netbiosDomain = (Get-ADDomain $domainDN -server $DNSRootDomain).NetBIOSName
 $mgrnetbios = $netbiosDomain + '\' + (Get-ADUser $mgr -Server $DNSRootDomain).SamAccountName
 $ADSrv = $DNSRootDomain+':389'
 New-PSDrive -Name WorkingAD -PSProvider ActiveDirectory -Root //RootDSE/ -Server $ADSrv
 $acl = Get-Acl WorkingAD:"$grpdn"
 If(!($acl.Access | ? {$_.ObjectType -eq 'bf9679c0-0de6-11d0-a285-00aa003049e2' -and $_.IdentityReference -eq "$mgrnetbios"})){Set-MgrCanUpdateList -UserNetBIOSName $mgrnetbios -GroupDN $grpdn}
 Write-Host $group.name " is managed by " + $mgrnetbios
 Remove-PSDrive -Name WorkingAD
}

Open in new window

0
Parity123Author Commented:
Thanks. The manager is always in the root domain of the forest. Where would that tweak be.
0
Parity123Author Commented:
Actually, the manager could be the same domain as the group or in the root domain. Really appreciate your help.
0
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
OK, small tweak.

Haven't tested it.

function Set-MgrCanUpdateList{
    Param(
        $UserNetBIOSName,
        $GroupDN
        )

    $guid =[guid]'bf9679c0-0de6-11d0-a285-00aa003049e2'
    $user = New-Object System.Security.Principal.NTAccount($UserNetBIOSName)
    $sid =$user.translate([System.Security.Principal.SecurityIdentifier])
    $ctrl =[System.Security.AccessControl.AccessControlType]::Allow
    $rights =[System.DirectoryServices.ActiveDirectoryRights]::WriteProperty -bor[System.DirectoryServices.ActiveDirectoryRights]::ExtendedRight
    $rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($sid,$rights,$ctrl,$guid)
    $acl.AddAccessRule($rule)
    Set-Acl -acl $acl -path WorkingAD:"$GroupDN"
    }

"ADLgroup1", "ADLgroup2", "ADLgroup3", "ADLgroup4" |
 foreach {
     $group = Get-ADGroup -Identity $_ -Properties ManagedBy 
     $grpdn = $group.DistinguishedName
     $mgr = $group.ManagedBy
     $mgrDomain = (($mgr.Split(',') | ? {$_.Contains('DC=')}) -join '.').Replace('DC=','')
     $domainDN = ($mgr.split(",") | ? {$_.Contains('DC=')}) -join ','
     $DNSRootDomain = (($grpdn.Split(',') | ? {$_.Contains('DC=')}) -join '.').Replace('DC=','')
     $netbiosDomain = (Get-ADDomain $domainDN -server $mgrDomain).NetBIOSName
     $mgrnetbios = $netbiosDomain + '\' + (Get-ADUser $mgr -Server $mgrDomain).SamAccountName
     $ADSrv = $DNSRootDomain+':389'
     New-PSDrive -Name WorkingAD -PSProvider ActiveDirectory -Root //RootDSE/ -Server $ADSrv
     $acl = Get-Acl WorkingAD:"$grpdn"
     If(!($acl.Access | ? {$_.ObjectType -eq 'bf9679c0-0de6-11d0-a285-00aa003049e2' -and $_.IdentityReference -eq "$mgrnetbios"})){Set-MgrCanUpdateList -UserNetBIOSName $mgrnetbios -GroupDN $grpdn}
     Write-Host $group.name " is managed by " + $mgrnetbios
     Remove-PSDrive -Name WorkingAD
}

Open in new window

0
Parity123Author Commented:
Thanks Jeremy for the quick response.

I tested, the  checkbox is set correctly, but removal of check box is not working. I made the following changes and tested for removal of check box, which is not working. Could you please assist.

function Clear-MgrCanUpdateList{
    Param(
        $UserNetBIOSName,
        $GroupDN
        )

    $guid =[guid]'bf9679c0-0de6-11d0-a285-00aa003049e2'
    $user = New-Object System.Security.Principal.NTAccount($UserNetBIOSName)
    $sid =$user.translate([System.Security.Principal.SecurityIdentifier])
    $ctrl =[System.Security.AccessControl.AccessControlType]::Allow
    $rights =[System.DirectoryServices.ActiveDirectoryRights]::WriteProperty -bor[System.DirectoryServices.ActiveDirectoryRights]::ExtendedRight
    $rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($sid,$rights,$ctrl,$guid)
    $acl.RemoveAccessRule($rule)
    Set-Acl -acl $acl -path WorkingAD:"$GroupDN"
    }


If(($acl.Access | ? {$_.ObjectType -eq 'bf9679c0-0de6-11d0-a285-00aa003049e2' -and $_.IdentityReference -eq "$mgrnetbios"})){Clear-MgrCanUpdateList -UserNetBIOSName $mgrnetbios -GroupDN $grpdn}
0
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
What is the error you're getting? Are $mgrnetbios and $grpdn defined when you run the If statement?

Clearing still needs all that logic and the references so it should be something like this for removing.

function  Clear-MgrCanUpdateList{
    Param(
        $UserNetBIOSName,
        $GroupDN
        )

    $guid =[guid]'bf9679c0-0de6-11d0-a285-00aa003049e2'
    $user = New-Object System.Security.Principal.NTAccount($UserNetBIOSName)
    $sid =$user.translate([System.Security.Principal.SecurityIdentifier])
    $ctrl =[System.Security.AccessControl.AccessControlType]::Allow
    $rights =[System.DirectoryServices.ActiveDirectoryRights]::WriteProperty -bor[System.DirectoryServices.ActiveDirectoryRights]::ExtendedRight
    $rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($sid,$rights,$ctrl,$guid)
    $acl.RemoveAccessRule($rule)
    Set-Acl -acl $acl -path WorkingAD:"$GroupDN"
    }

"ADLgroup1", "ADLgroup2", "ADLgroup3", "ADLgroup4" |
 foreach {
     $group = Get-ADGroup -Identity $_ -Properties ManagedBy 
     $grpdn = $group.DistinguishedName
     $mgr = $group.ManagedBy
     $mgrDomain = (($mgr.Split(',') | ? {$_.Contains('DC=')}) -join '.').Replace('DC=','')
     $domainDN = ($mgr.split(",") | ? {$_.Contains('DC=')}) -join ','
     $DNSRootDomain = (($grpdn.Split(',') | ? {$_.Contains('DC=')}) -join '.').Replace('DC=','')
     $netbiosDomain = (Get-ADDomain $domainDN -server $mgrDomain).NetBIOSName
     $mgrnetbios = $netbiosDomain + '\' + (Get-ADUser $mgr -Server $mgrDomain).SamAccountName
     $ADSrv = $DNSRootDomain+':389'
     New-PSDrive -Name WorkingAD -PSProvider ActiveDirectory -Root //RootDSE/ -Server $ADSrv
     $acl = Get-Acl WorkingAD:"$grpdn"
     If($acl.Access | ? {$_.ObjectType -eq 'bf9679c0-0de6-11d0-a285-00aa003049e2' -and $_.IdentityReference -eq "$mgrnetbios"}){Clear-MgrCanUpdateList -UserNetBIOSName $mgrnetbios -GroupDN $grpdn}
     Write-Host $group.name " is managed by " + $mgrnetbios
     Remove-PSDrive -Name WorkingAD
}

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Powershell

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.