Saturday, June 22, 2024
HomePowershellSupervisor can replace membership record - PowerShell

Supervisor can replace membership record – PowerShell

The administration of AD teams doesn’t need to be in IT arms. The ‘Group-Supervisor’ perform is usually used when a non-IT worker within the firm has to handle a gaggle. For instance, the division supervisor ought to be capable of resolve which worker is included in a sure distribution record (i.e. a distribution group).

Supervisor can replace membership record

For this goal, the person might be entered within the Energetic Listing Customers and Computer systems console because the supervisor of the group. We are able to additionally test the field: “Supervisor can replace membership record”. The person can then add and take away members, however can’t edit the group.

Manager can update membership list

To this point, so clear. However how does it work if you wish to set this permission by way of PowerShell? This is a little more difficult.

Group-Supervisor Authorization with PowerShell

Choosing the “Supervisor can replace membership record” checkbox doesn’t merely imply setting an attribute on the group. Quite, it adjustments the ACL (Entry Management Listing) of the group. This may also be seen within the safety tab of the group. In precept, this is identical as with permissions on folders.


Let’s assume that our group is named “VL_ManagerTest”. The person who ought to turn out to be supervisor and get permissions to vary members is known as “darkish.vader”. In our Powershell script, we proceed as follows.

Designate customers as managers

First, we set this person as a supervisor. For this we now have to fill the “managedBy” attribute of the group. Nonetheless, this should comprise the distinguishedName of the person. Due to this fact we now have to search out out the distinguishedName and set it. You want this script:

Now the supervisor is about, he nonetheless wants authorizations.

Creating an AccessRule

We have to add an AccessRule for this person to the ACL of the group. To create an ActiveDirectoryAccessRule we’d like 4 info:

  • The schema object for which this AccessRule applies.
  • The SID of the person to whom the rule applies
  • The kind of rule (permit/deny)
  • The rights which are to be set

The schema object we’d like right here is “Self-Membership”.

Automate group membership with DynamicGroup



This object has a “rightsGuid” which we’d like for our ActiveDirectoryAccessRule. The GUID is identical throughout all ADs and might be discovered within the ADSI edit underneath

Configuration -> Prolonged Rights -> Self-Membership -> Properties -> rightsGuid

Nonetheless, a fast Google search results in the identical outcome:


So the very first thing we do is retailer this GUID in a variable.

SID of the person

The following info we’d like is the SID of the person. Since we already learn this out earlier, we simply have to convert the kind from String to SecurityIdentifier.

We’d like two extra info; the kind of entry and the permissions we wish to set.

Entry rights of the person

The kind of entry is evident: sure permissions ought to be allowed. The permissions which are wanted listed here are “Write” and “Prolonged Rights“. And that is the way it seems in PowerShell:

Now that we now have all the data we’d like, we will create the rule:

Creating an ActiveDirectoryAccessRule

Within the final step, we now want so as to add our newly created rule to the ACL of the group. To do that, we should first learn the prevailing ACL:

To this ACL we add our newly created rule after which overwrite the group’s ACL with our modified ACL:

With this we now have it achieved. After updating, within the properties of the group underneath “managedBy” ought to be

  • the brand new person stand and
  • the checkbox “Supervisor can replace membership record” should be set.

Automate group administration

Much less work for everybody and excessive safe stage assure. For this we use the software DynamicGroup. Due to highly effective filters, you may set Attribute necessities for the members of your teams. For instance: A bunch “solely settle for energetic members”. If the standing of a member change to “inactive”, the member will probably be eliminated of the group. For those who replace the division attribute of a person to “gross sales”, DynamicGroup will add this person to all of the teams with this requirement. You possibly can learn extra particulars about this function on this article: Automated permissions based mostly on properties.

Automate group membership list with DynamicGroup

You possibly can obtain and check DynamicGroup totally free throughout 30-days right here.

The entire script: Set Group Supervisor Permission with PowerShell

Lastly, right here is the whole script:

Extra query about PowerShell oder Energetic Listing Automation? Assist wanted?

Contact us


Article created: 01.03.2021



Please enter your comment!
Please enter your name here

Most Popular

Recent Comments