Modify powershell script
Hello,
I need help in modifying this script to include "Manager Can Update Membership List", if the box is checked or not, in the report as well.
"ADLgroup1", "ADLgroup2", "ADLgroup3", "ADLgroup4" |
foreach {
$group = Get-ADGroup -Identity $_ -Properties ManagedBy
}
I need help in modifying this script to include "Manager Can Update Membership List", if the box is checked or not, in the report as well.
"ADLgroup1", "ADLgroup2", "ADLgroup3", "ADLgroup4" |
foreach {
$group = Get-ADGroup -Identity $_ -Properties ManagedBy
}
ASKER
Awesome!!!!. It works. If I wanted just one more change to this, could you help.
If the box is not checked, I want to check the box for "Manager Can Update Membership List"
If the box is not checked, I want to check the box for "Manager Can Update Membership List"
There's a few examples on the web. I found this one and put it into a function:
http://blogs.technet.com/b/blur-lines_-powershell_-author_shirleym/archive/2013/10/07/manager-can-update-membership-list.aspx
This script will list the manager and, if not checked, give the permissions to update the list.
http://blogs.technet.com/b/blur-lines_-powershell_-author_shirleym/archive/2013/10/07/manager-can-update-membership-list.aspx
This script will list the manager and, if not checked, give the permissions to update the list.
function Set-MgrCanUpdateList{
Param(
$UserNetBIOSName,
$GroupDN
)
$guid =[guid]'bf9679c0-0de6-11d0-a285-00aa003049e2'
$user = New-Object System.Security.Principal.NTAccount($UserNetBIOSName)
$sid =$user.translate([System.Security.Principal.SecurityIdentifier])
$acl = Get-Acl ad:"$GroupDN"
$ctrl =[System.Security.AccessControl.AccessControlType]::Allow
$rights =[System.DirectoryServices.ActiveDirectoryRights]::WriteProperty -bor[System.DirectoryServices.ActiveDirectoryRights]::ExtendedRight
$rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($sid,$rights,$ctrl,$guid)
$acl.AddAccessRule($rule)
Set-Acl -acl $acl -path ad:"$GroupDN"
}
"ADLgroup1", "ADLgroup2", "ADLgroup3", "ADLgroup4" |
foreach {
$group = Get-ADGroup -Identity $_ -Properties ManagedBy
$grpdn = $group.DistinguishedName
$mgr = $group.ManagedBy
$domainDN = ($mgr.split(",") | ? {$_.Contains('DC=')}) -join ','
$netbiosDomain = (Get-ADDomain $domainDN).NetBIOSName
$mgrnetbios = $netbiosDomain + '\' + (Get-ADUser $mgr).SamAccountName
$acl = Get-Acl AD:"$grpdn"
If(!($acl.Access | ? {$_.ObjectType -eq 'bf9679c0-0de6-11d0-a285-00aa003049e2' -and $_.IdentityReference -eq "$mgrnetbios"})){Set-MgrCanUpdateList -UserNetBIOSName $mgrnetbios -GroupDN $grpdn}
Write-Host $group.name " is managed by " + $mgrnetbios
}ASKER
Excellent. One last question on this topic is that if I wanted to clear the checkbox, would the following
change work.
$acl.AddAccessRule($rule) to $acl.RemoveAccessRule($rul
change work.
$acl.AddAccessRule($rule) to $acl.RemoveAccessRule($rul
ASKER
I am getting an error on the following line when running for a remote domain, when checking for "Manager can update membership list", (and the ManagedBy value is retrieved correctly).
$acl = Get-Acl AD:"$grpdn" (referral error). I checked the value for grpdn and the value is correct. It works fine for the logged on domain.
$arrdomains = "testdomain1,testdomain2"
foreach ($domain in $arrdomains) {
$netbiosdomain = (Get-Addomain $domain).NetbiosName
write-host $netbiosdomain
$leftdomain = $domain.substring(0,$domai
write-host "Left domain: $leftdomain"
"FGPP-", "FGPP-" |
foreach {
$groupName = $_+$leftdomain
write-host $groupName
$group = Get-ADGroup -Identity $groupName -Server $domain -Properties ManagedBy
$grpdn = $group.DistinguishedName
write-host "Group DN: $grpDN"
$mgr = $group.ManagedBy
#$domainDN = ($mgr.split(",") | ? {$_.Contains('DC=')}) -join ','
#$netbiosDomain = (Get-ADDomain $domainDN).NetBIOSName
$mgrnetbios = $netbiosDomain + '\' + (Get-ADUser $mgr).SamAccountName
$acl = Get-Acl AD:"$grpdn"
If(!($acl.Access | ? {$_.ObjectType -eq 'bf9679c0-0de6-11d0-a285-0
Write-Host $group.name " is managed by " + $mgrnetbios
}
}
$acl = Get-Acl AD:"$grpdn" (referral error). I checked the value for grpdn and the value is correct. It works fine for the logged on domain.
$arrdomains = "testdomain1,testdomain2"
foreach ($domain in $arrdomains) {
$netbiosdomain = (Get-Addomain $domain).NetbiosName
write-host $netbiosdomain
$leftdomain = $domain.substring(0,$domai
write-host "Left domain: $leftdomain"
"FGPP-", "FGPP-" |
foreach {
$groupName = $_+$leftdomain
write-host $groupName
$group = Get-ADGroup -Identity $groupName -Server $domain -Properties ManagedBy
$grpdn = $group.DistinguishedName
write-host "Group DN: $grpDN"
$mgr = $group.ManagedBy
#$domainDN = ($mgr.split(",") | ? {$_.Contains('DC=')}) -join ','
#$netbiosDomain = (Get-ADDomain $domainDN).NetBIOSName
$mgrnetbios = $netbiosDomain + '\' + (Get-ADUser $mgr).SamAccountName
$acl = Get-Acl AD:"$grpdn"
If(!($acl.Access | ? {$_.ObjectType -eq 'bf9679c0-0de6-11d0-a285-0
Write-Host $group.name " is managed by " + $mgrnetbios
}
}
would the followingYes, that should work to remove the checkbox.
change work.
$acl.AddAccessRule($rule) to $acl.RemoveAccessRule($rule)
I am getting an error on the following line when running for a remote domainRemote domain, eh? OK, so I'm using the the default AD PSDrive to set the ACE in the ACL. What you can do is map a drive to the remote domain and work against that for changing the permissions:
New-PSDrive -Name RemoteAD -PSProvider ActiveDirectory -Credential (Get-Credential) -Root //RootDSE/ -Server remoteDC.domain.com:389Then in the script you would reference RemoteAD:"DN..." instead of AD:"DN...".
Let me know if you need help with modifying the function.
ASKER
Yes please, I would need some help in modifying the function. My logged in account has access to all the domains in the forest. No need to prompt for credentials for remote domains.
Sorry for the delay. Work and life. ;)
So this should work to get the info from other domains in the forest. I assume you're using the server parameter for the Get-ADGroup cmdlet. You'll need to continue to do that so modify it accordingly. But I have written it so that any subsequent queries will go to the proper domain. This script also assumes that the manager is in the same domain as the group its managing. If that is not the case then the script will need to be tweaked to account for that.
So this should work to get the info from other domains in the forest. I assume you're using the server parameter for the Get-ADGroup cmdlet. You'll need to continue to do that so modify it accordingly. But I have written it so that any subsequent queries will go to the proper domain. This script also assumes that the manager is in the same domain as the group its managing. If that is not the case then the script will need to be tweaked to account for that.
function Set-MgrCanUpdateList{
Param(
$UserNetBIOSName,
$GroupDN
)
$guid =[guid]'bf9679c0-0de6-11d0-a285-00aa003049e2'
$user = New-Object System.Security.Principal.NTAccount($UserNetBIOSName)
$sid =$user.translate([System.Security.Principal.SecurityIdentifier])
$ctrl =[System.Security.AccessControl.AccessControlType]::Allow
$rights =[System.DirectoryServices.ActiveDirectoryRights]::WriteProperty -bor[System.DirectoryServices.ActiveDirectoryRights]::ExtendedRight
$rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($sid,$rights,$ctrl,$guid)
$acl.AddAccessRule($rule)
Set-Acl -acl $acl -path WorkingAD:"$GroupDN"
}
"ADLgroup1", "ADLgroup2", "ADLgroup3", "ADLgroup4" |
foreach {
$group = Get-ADGroup -Identity $_ -Properties ManagedBy
$grpdn = $group.DistinguishedName
$mgr = $group.ManagedBy
$domainDN = ($mgr.split(",") | ? {$_.Contains('DC=')}) -join ','
$DNSRootDomain = (($grpdn.Split(',') | ? {$_.Contains('DC=')}) -join '.').Replace('DC=','')
$netbiosDomain = (Get-ADDomain $domainDN -server $DNSRootDomain).NetBIOSName
$mgrnetbios = $netbiosDomain + '\' + (Get-ADUser $mgr -Server $DNSRootDomain).SamAccountName
$ADSrv = $DNSRootDomain+':389'
New-PSDrive -Name WorkingAD -PSProvider ActiveDirectory -Root //RootDSE/ -Server $ADSrv
$acl = Get-Acl WorkingAD:"$grpdn"
If(!($acl.Access | ? {$_.ObjectType -eq 'bf9679c0-0de6-11d0-a285-00aa003049e2' -and $_.IdentityReference -eq "$mgrnetbios"})){Set-MgrCanUpdateList -UserNetBIOSName $mgrnetbios -GroupDN $grpdn}
Write-Host $group.name " is managed by " + $mgrnetbios
Remove-PSDrive -Name WorkingAD
}ASKER
Thanks. The manager is always in the root domain of the forest. Where would that tweak be.
ASKER
Actually, the manager could be the same domain as the group or in the root domain. Really appreciate your help.
OK, small tweak.
Haven't tested it.
Haven't tested it.
function Set-MgrCanUpdateList{
Param(
$UserNetBIOSName,
$GroupDN
)
$guid =[guid]'bf9679c0-0de6-11d0-a285-00aa003049e2'
$user = New-Object System.Security.Principal.NTAccount($UserNetBIOSName)
$sid =$user.translate([System.Security.Principal.SecurityIdentifier])
$ctrl =[System.Security.AccessControl.AccessControlType]::Allow
$rights =[System.DirectoryServices.ActiveDirectoryRights]::WriteProperty -bor[System.DirectoryServices.ActiveDirectoryRights]::ExtendedRight
$rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($sid,$rights,$ctrl,$guid)
$acl.AddAccessRule($rule)
Set-Acl -acl $acl -path WorkingAD:"$GroupDN"
}
"ADLgroup1", "ADLgroup2", "ADLgroup3", "ADLgroup4" |
foreach {
$group = Get-ADGroup -Identity $_ -Properties ManagedBy
$grpdn = $group.DistinguishedName
$mgr = $group.ManagedBy
$mgrDomain = (($mgr.Split(',') | ? {$_.Contains('DC=')}) -join '.').Replace('DC=','')
$domainDN = ($mgr.split(",") | ? {$_.Contains('DC=')}) -join ','
$DNSRootDomain = (($grpdn.Split(',') | ? {$_.Contains('DC=')}) -join '.').Replace('DC=','')
$netbiosDomain = (Get-ADDomain $domainDN -server $mgrDomain).NetBIOSName
$mgrnetbios = $netbiosDomain + '\' + (Get-ADUser $mgr -Server $mgrDomain).SamAccountName
$ADSrv = $DNSRootDomain+':389'
New-PSDrive -Name WorkingAD -PSProvider ActiveDirectory -Root //RootDSE/ -Server $ADSrv
$acl = Get-Acl WorkingAD:"$grpdn"
If(!($acl.Access | ? {$_.ObjectType -eq 'bf9679c0-0de6-11d0-a285-00aa003049e2' -and $_.IdentityReference -eq "$mgrnetbios"})){Set-MgrCanUpdateList -UserNetBIOSName $mgrnetbios -GroupDN $grpdn}
Write-Host $group.name " is managed by " + $mgrnetbios
Remove-PSDrive -Name WorkingAD
}ASKER
Thanks Jeremy for the quick response.
I tested, the checkbox is set correctly, but removal of check box is not working. I made the following changes and tested for removal of check box, which is not working. Could you please assist.
function Clear-MgrCanUpdateList{
Param(
$UserNetBIOSName,
$GroupDN
)
$guid =[guid]'bf9679c0-0de6-11d0
$user = New-Object System.Security.Principal.
$sid =$user.translate([System.S
$ctrl =[System.Security.AccessCo
$rights =[System.DirectoryServices
$rule = New-Object System.DirectoryServices.A
$acl.RemoveAccessRule($rul
Set-Acl -acl $acl -path WorkingAD:"$GroupDN"
}
If(($acl.Access | ? {$_.ObjectType -eq 'bf9679c0-0de6-11d0-a285-0
I tested, the checkbox is set correctly, but removal of check box is not working. I made the following changes and tested for removal of check box, which is not working. Could you please assist.
function Clear-MgrCanUpdateList{
Param(
$UserNetBIOSName,
$GroupDN
)
$guid =[guid]'bf9679c0-0de6-11d0
$user = New-Object System.Security.Principal.
$sid =$user.translate([System.S
$ctrl =[System.Security.AccessCo
$rights =[System.DirectoryServices
$rule = New-Object System.DirectoryServices.A
$acl.RemoveAccessRule($rul
Set-Acl -acl $acl -path WorkingAD:"$GroupDN"
}
If(($acl.Access | ? {$_.ObjectType -eq 'bf9679c0-0de6-11d0-a285-0
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Open in new window