MilesLogan
asked on
scan domain for groups with Manager can update membership list option checked.
Hi EE
Does anyone have a script to share that will check all groups in the domain and output if the " Manager can update membership list" is checked off ( enabled ) .
The CSV should include the group name and the samAccountName listed that can update the group .
Does anyone have a script to share that will check all groups in the domain and output if the " Manager can update membership list" is checked off ( enabled ) .
The CSV should include the group name and the samAccountName listed that can update the group .
ASKER
Thank you , I will check later tonight .
How can the manager update the group membership?
Ticking the checkbox sets an ACE on the group object that allows the manager to change the group membership.
Cool, thanks ObDa.
ASKER
Hi oBdA
I tried it both ways that you suggested and I am receiving the error below, I get a return from both searches but neither completed.
FYI ... I have close to 200k groups that it needs to check .
Get-ADGroup : The server has returned the following error: invalid enumeration context.
At C:\PS\ManagerCanUpdate.ps1 :5 char:1
+ Get-ADGroup -LDAPFilter "(&(objectcategory=group)( managedBy= *))" -Pro ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~ ~~~~~~~~~~ ~~~~~~~~~~ ~~~~~~~~~~ ~~~
+ CategoryInfo : NotSpecified: (:) [Get-ADGroup], ADException
+ FullyQualifiedErrorId : ActiveDirectoryServer:0,Mi crosoft.Ac tiveDirect ory.Manage ment.Comma nds.GetADG roup
I tried it both ways that you suggested and I am receiving the error below, I get a return from both searches but neither completed.
FYI ... I have close to 200k groups that it needs to check .
Get-ADGroup : The server has returned the following error: invalid enumeration context.
At C:\PS\ManagerCanUpdate.ps1
+ Get-ADGroup -LDAPFilter "(&(objectcategory=group)(
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-ADGroup], ADException
+ FullyQualifiedErrorId : ActiveDirectoryServer:0,Mi
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks ! I will try tonight
ASKER
Its working .. will let you know if it bombs out again .. its been like 45 mins and its on 30k out of 255k groups .. I guess we should have it search for only Security groups only and not Distribution groups .
You can replace the LDAP filter in the script above with the following to process security groups only:
Active Directory: LDAP Syntax Filters
https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx
"(&(objectcategory=group)(groupType:1.2.840.113556.1.4.803:=2147483648)(managedBy=*))"
More filter samples here:Active Directory: LDAP Syntax Filters
https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx
ASKER
Worked as expected, thank you for the great assist .
I will try the additional filters ..
I will try the additional filters ..
Open in new window
If you want only the groups where the manager can update the membership, just filter in the last line before the export:Open in new window