I am a domain admin. if I run this script, it works fine-- it grants Curtisstest permission to write members on TestGroup.
"scorch" is not a domain admin, but he has full control of all descendent groups in the OU where TestGroup lives, confirmed by the security settings on Testgroup in the ADUC gui.
$groupname = "TestGroup" $manager = "curtisstest" $membersPropertyGUID = [guid]"bf9679c0-0de6-11d0-a285-00aa003049e2" $group = get-adgroup $groupname $targetgroupacl = get-acl ad:\$group $managerSID = (get-aduser $manager).sid $NewRule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($managerSID,"WriteProperty","Allow",$membersPropertyGUID) $targetgroupacl.AddAccessRule($NewRule) Set-acl ad:\$group -aclobject $targetgroupacl
if "scorch" is the owner of Testgroup, when I run the script as "scorch," I get a permission denied error on the set-acl command.
if "scorch" is not the owner of Testgroup, when I run the script as "scorch," I get an error that says "this security ID may not be assigned as the owner of this object" on the set-acl command.
again, "scorch" has full control of TestGroup.
again, the script works if I run it as a domain admin.