Manager can update membership list Part 1

Sometimes trying to automate something simple as selecting a checkbox is no simple task. This is the first part of a series of posts on how to select the 'Manager can update membership list' checkbox for an AD group in PowerShell. The first part will give you the PowerShell script that will automate this process. The continuation of this post will go over the script in more detail and show you the steps that led up to this solution.


Below is the GUI used to select the user to manage the group and whether that user is allowed to update the membership list. Setting the manger is the easy part, but selecting the checkbox can be a little more complicated.




The script below will set the user as the manager and allow them to update the membership list. There will be more to come in the next posts to look at the script in fine detail.



      look at adsi-edit for this guid

     Configuration -> Extended Rights -> Self-Membership

     Open Self-Membership and the guid will be under rightsGuid


$guid =[guid]'bf9679c0-0de6-11d0-a285-00aa003049e2'

$user = New-Object System.Security.Principal.NTAccount("contoso\jsmith")

$sid =$user.translate([System.Security.Principal.SecurityIdentifier])

$acl = Get-Acl ad:"cn=testgroup,cn=users,dc=contoso,dc=com"

$ctrl =[System.Security.AccessControl.AccessControlType]::Allow

$rights =[System.DirectoryServices.ActiveDirectoryRights]::WriteProperty -bor[System.DirectoryServices.ActiveDirectoryRights]::ExtendedRight

$intype =[System.DirectoryServices.ActiveDirectorySecurityInheritance]::None


#set the ManagedBy property

$group =[adsi]'LDAP://cn=testgroup,cn=users,dc=contoso,dc=com'




#create the new rule and add the rule

$rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($sid,$rights,$ctrl,$guid)


Set-Acl -acl $acl -path ad:"cn=testgroup,cn=users,dc=contoso,dc=com"

Write-Host "Voila! We have the checkbox checked"


The next post will explain how to obtain the guid for the Self Member extended right.

 Part 2


Comments (7)

  1. James A' says:

    Thank you for explaining the "Configuration -> Extended Rights -> Self-Membership" part!

    I've yet to try your script, hope it works for me!

  2. James A' says:

    This didn't work for me. I noticed a mistake here "$adsi.setinfo()" I think you meant to put "$group.setinfo()"

    This part doesn't make sense to me either


    $newacl =$acl.AddAccessRule($rule)

    set-acl -acl $acl-path ad:"cn=testgroup,cn=users,dc=contoso,dc=com"


    Shouldn't it be set-acl -acl $newacl -path ad:"cn=testgroup,cn=users,dc=contoso,dc=com" ?

    In any case I still get this error at the end.

    Set-Acl : This security ID may not be assigned as the owner of this object

    At line:1 char:8

  3. shirl9141 says:

    Nice catch! Yes, the $adsi.setinfo() should be $group.setinfo().

    I have taken out the $newacl variable, it is not needed. The AddAccessRule method does not return anything. I have updated the post with the changes. Thanks for letting me know!

    This may help you on your error.…/ms838297.aspx

  4. amitkumar_patil says:

    What are the minimum permission required on AD to run this script.

  5. Anonymous says:

    Irfan Ahmed, Senior Support Escalation Engineer, brings this amazing blog to us. Read on.


  6. Anonymous says:

    Irfan Ahmed, Senior Support Escalation Engineer, brings this amazing blog to us. Read on.


  7. Jonny Blue says:

    Thanks, helped me very much!

Skip to main content