Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, June 21, 2012 8:52 PM | 1 vote
Hello,
I' ve a similar problem as http://social.technet.microsoft.com/Forums/en-US/winserverpowershell/thread/2fb86543-a6bc-4814-abb0-403816529c26 but as this thread is already answered nobody might read it.
My script to add the attribute "Manager can update membership list" for an AD group
import-module activedirectory
set-location AD:
$objUser = New-Object System.Security.Principal.NTAccount("sampledomain\user1")
$sid = $objUser.Translate([System.Security.Principal.SecurityIdentifier])
$acl=Get-ACL "CN=TESTGROUP,OU=group1,OU=Groups,OU=gr06,OU=xyz,OU=www,DC=sampledomain,DC=network,DC=com"
$objectguid = new-object Guid bf9679c0-0de6-11d0-a285-00aa003049e2
$ace1 = new-object System.DirectoryServices.ActiveDirectoryAccessRule $sid,"WriteProperty","Allow",$objectguid
$acl.AddAccessRule($ace1)
set-acl -aclobject $acl -Path "CN=TESTGROUP,OU=group1,OU=Groups,OU=gr06,OU=xyz,OU=www,DC=sampledomain,DC=network,DC=com"
The command returns this error:
Set-Acl : This security ID may not be assigned as the owner of this object
At line:1 char:8
- set-acl <<<< -aclobject $acl -Path "CN=TESTGROUP,OU=group1,OU=Groups,OU=gr06,OU=xyz,OU=www,DC=sampledomain,DC
=network,DC=com"
+ CategoryInfo : NotSpecified: (CN=TESTGROUP...network,DC=com:String) [Set-Acl], ADException
+ FullyQualifiedErrorId : ADProvider:SetSecurityDescriptor:ADError,Microsoft.PowerShell.Commands.SetAclCommand
It is not a permission problem, because this command works:
dsacls CN=TESTGROUP,OU=group1,OU=Groups,OU=gr06,OU=xyz,OU=www,DC=sampledomain,DC=network,DC=com /G sampledomain\user1:WP;member;
I tried this VBS script http://codeidol.com/active-directory/active-directory/Groups/Delegating-Control-for-Managing-Membership-of-a-Group/
It returns: "Active Directory: A constraint violation occurred.
Then I found the solution for the VBS. The problem is described here http://support.microsoft.com/default.aspx?scid=kb;en-us;323749
"By default, when accessing the ntSecurityDescriptor property, the ADSI LDAP provider writes the whole security descriptor back to the object. If a non-administrative user tries to write the ownership information of a security descriptor, and the user does not own the object, the NT security system generates an error."
I fixed the VBS from codeidol with this additional code before executing setinfo
const ADS_OPTION_SECURITY_MASK = 3
const ADS_SECURITY_INFO_DACL = 4
objGroup.SetOption ADS_OPTION_SECURITY_MASK, ADS_SECURITY_INFO_DACL
To make a long story short.
How can I change the Powershell script to behave like described in the MS article?
All replies (1)
Monday, June 25, 2012 11:38 AM âś…Answered | 2 votes
I found a Powershell solution which worked for me to add the "Manager can update member list" attribute.
If you use a newly created group it needs some seconds until the SID is available.
$guidNull = new-object Guid 00000000-0000-0000-0000-000000000000
$guidWriteMembers = new-object Guid bf9679c0-0de6-11d0-a285-00aa003049e2
$groupSID = new-object System.Security.Principal.SecurityIdentifier "SampleGroup"
$objDomain = New-Object System.DirectoryServices.DirectoryEntry("LDAP://" + $ad-server + "/CN=TESTGROUP,OU=group1,OU=Groups,OU=gr06,OU=xyz,OU=www,DC=sampledomain,DC=network,DC=com")
$ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID,"WriteProperty","Allow",$guidWriteMembers,"None",$guidNull
$objDomain.ObjectSecurity.AddAccessRule($ace)
$objDomain.CommitChanges()
This link was very useful to solve the problem http://www.damianflynn.com/2011/08/23/ad-delegating-control-in-powershell/