Active Directory Bulk Group Edit

Question

Is there a way to update the "Managed By" field for every group in Active Directory? I would also need to check "Manager can update membership list" also.

Are you looking to list the same user as manager for all groups? — jscott, May 25 '11 at 18:24

sysadmin1138 · Accepted Answer · 2011-05-25T19:37:39.547

8

This can be done through PowerShell

$DNOfManager=dsquery user -o dn -name "Testing Tester"
$GroupList=dsquery group DC=ad,dc=example,dc=local -limit 600 
Foreach ($group in $grouplist) {
    set-adgroup -Identity $Group -ManagedBy $DNOfManager
    add-adpermission -Identity $Group -user $DNOfManager -AccessRights ReadProperty, WriteProperty -Properties 'Member'
}

This is undebugged, but should get you most of the way there. What it does:

Uses dsquery to grab the Distinguished Name of the user with the full-name of "Testing Tester".
Uses dsquery to fetch a list of candidate groups, and passes that to a variable as a list.
Iterate through the list. On each list-member:
1. Assign the ManagedBy attribute
2. Assign the rights to update the Member attribute

So long as $DNOfManager is set right, this should set all groups in the domain to be managed by that one manager. ALL of them. Make sure the query in step one is defined right and doesn't pick up groups you don't want (Domain Admins?).

edited May 25 '11 at 19:37

answered May 25 '11 at 18:33

sysadmin1138

131,083
18
173
296

Sorry, I'm new to PowerShell. Say I wanted the manged by person to be test test@domain.com. Where would I put that. – Patrick May 25 '11 at 18:37
3

+1 - That's a clear win for PowerShell over any other method (including Joe Richards' ADMOD, which is what I was starting to write a post about). I should try to get over my dislike of PowerShell a little harder I suspect. – Evan Anderson May 25 '11 at 18:37
@Patrick I modified the script to make it more clear. – sysadmin1138 May 25 '11 at 19:37

score 1 · Answer 2 · answered May 25 '11 at 18:32

Looks like Active Directory is scriptable...link

You could do some research there and figure out how to script modifications. I would definitely recommend creating yourself a sandbox so you're not experimenting with scripts against your live Active Directory setup, though. I've learned this the hard way before; if you're experimenting with new stuff, don't do it with any data or setup you would be sad to see blown away.

score -1 · Answer 3 · edited Mar 09 '12 at 01:56

-1

Unfortunately there is no "bulk" way to select 'managed by' for all groups within a directory. You will have to select each individual group to change the managed by field.

My apologies gentlemen. I jumped to conclusions based on the interface of active directory alone. The idea of scripting escaped me. I also apologize for the use of the word "bulk." Quite frankly the site is new to me so I apologize for the lack and consideration of expertise on the topic expressed.

edited Mar 09 '12 at 01:56

jscott

24,204
8
77
99

answered May 25 '11 at 18:13

GMitch

500
3
12

1

I have over 500 groups... – Patrick May 25 '11 at 18:17
I rarely -1, but this answer is plain wrong. Should you edit to correct it, I will gladly remove my downvote. – jscott May 25 '11 at 18:36
2

If AD were unable to be 'bulk' modified it would be a nightmare to work with...which is not the case at all. – HostBits May 25 '11 at 18:36

Active Directory Bulk Group Edit

3 Answers3