Readed many articls about scripting enable "Manager can update membership list" of AD Group, also I wrote the scirpt, I think it should be fine to run.
after debuging, get access is denied during the last set-acl .
My Id have domain Subou(the group reside in) admin rights ,but not for all domain OUs.
I think the error because ,
1. get-acl contents many supper admin ids in.
2. when modified the acl in memeory, then set-acl re-write to group. the problem is I don't have rights to write those supprer admins ids
infact, I just want to update, not willing to re-write back all acl.
Any solution for me ? I think if run by enterprise admin, it should be work fine.
$GroupList="D:\Work\GroupNameList.txt"
$GUID = [System.Guid] 'bf9679c0-0de6-11d0-a285-00aa003049e2'
$SID = (get-adgroup "AdminDL-Group Admin" -Properties SID).SID
$CTRL = [System.Security.AccessControl.AccessControlType]::Allow
$Rights = [System.DirectoryServices.ActiveDirectoryRights]::WriteProperty
$inType = [System.DirectoryServices.ActiveDirectorySecurityInheritance]::None
$Rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($SID,$Rights,$CTRL,$GUID,$inType)
Get-Content $GroupList | %{
$acl= Get-Acl AD:$((Get-ADGroup $_ ).DistinguishedName)
$acl.AddAccessRule($Rule)
set-acl -aclobject $acl -Path AD:$((Get-ADGroup $_ ).DistinguishedName)
}Set-Acl : Access is denied
At D:\work\UpdatingGroupManager.ps1:16 char:40
+ set-acl <<<< -aclobject $acl -Path AD:$((Get-ADGroup
$_ ).DistinguishedName)
+ CategoryInfo : PermissionDenied: (CN=D4701R...S,DCC,DC=com:String) [Set-Acl], UnauthorizedAcce
ssException
+ FullyQualifiedErrorId : ADProvider:SetSecurityDescriptor:AccessDenied,Microsoft.PowerShell.Commands.SetAclComman
d
夏天