asked on

scan domain for groups with Manager can update membership list option checked.

Hi EE

Does anyone have a script to share that will check all groups in the domain and output if the " Manager can update membership list" is checked off ( enabled ) .
The CSV should include the group name and the samAccountName listed that can update the group .

oBdA

This returns all groups that have a manager set, with a column indicating whether the manager can update the group's membership.

Import-Module ActiveDirectory
$outFile = 'C:\Temp\ManagerCanUpdateMembership.csv'
$nbDomain = (Get-ADDomain).NetBIOSName
$writeMember = [guid]'bf9679c0-0de6-11d0-a285-00aa003049e2'
Get-ADGroup -LDAPFilter "(&(objectcategory=group)(managedBy=*))" -Property managedBy | ForEach-Object {
	$out = $_ | Select-Object -Property Name, Manager, ManagerCanUpdateMembership, DistinguishedName
	$manager = Get-ADObject -Identity $_.managedBy -Property SamAccountName
	$out.Manager = $manager.SamAccountName
	Write-Host "Processing $($_.Name) (managed by '$($manager.SamAccountName)')"
	$acl = Get-Acl -Path "AD:\$($_.DistinguishedName)"
	$out.ManagerCanUpdateMembership = ($acl.Access | Where-Object {($_.ObjectType -eq $writeMember) -and ($_.IdentityReference.Value -eq "$($nbDomain)\$($manager.SamAccountName)")}) -ne $null
	$out
} | Export-Csv -NoTypeInformation -Path $outFile

Open in new window

If you want only the groups where the manager can update the membership, just filter in the last line before the export:

} | Where-Object {$_.ManagerCanUpdateMembership} | Export-Csv -NoTypeInformation -Path $outFile

Open in new window

MilesLogan

ASKER

Thank you , I will check later tonight .

Albert Widjaja

How can the manager update the group membership?

oBdA

Ticking the checkbox sets an ACE on the group object that allows the manager to change the group membership.

Albert Widjaja

Cool, thanks ObDa.

MilesLogan

ASKER

Hi oBdA

I tried it both ways that you suggested and I am receiving the error below, I get a return from both searches but neither completed.
FYI ... I have close to 200k groups that it needs to check .

Get-ADGroup : The server has returned the following error: invalid enumeration context.
At C:\PS\ManagerCanUpdate.ps1:5 char:1
+ Get-ADGroup -LDAPFilter "(&(objectcategory=group)(managedBy=*))" -Pro ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-ADGroup], ADException
+ FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADGroup

ASKER CERTIFIED SOLUTION

oBdA

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

MilesLogan

ASKER

Thanks ! I will try tonight

MilesLogan

ASKER

Its working .. will let you know if it bombs out again .. its been like 45 mins and its on 30k out of 255k groups .. I guess we should have it search for only Security groups only and not Distribution groups .

oBdA

You can replace the LDAP filter in the script above with the following to process security groups only:

"(&(objectcategory=group)(groupType:1.2.840.113556.1.4.803:=2147483648)(managedBy=*))"

Open in new window

More filter samples here:
Active Directory: LDAP Syntax Filters
https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx

MilesLogan

ASKER

Worked as expected, thank you for the great assist .

I will try the additional filters ..