设置组的所有者可以更新组员可以有三种方法
1.通过Exchange端的PS命令设置,这些命令在非exchange环境上不可用
2.通过安装Active Roles模块,使用Quest命令实现,但是需要安装第三方软件
3.使用ADSI实现
以下函数使用了方法3实现组管理员可以更新组员
cls
function Set-GroupManager($GroupName,$ManagerSAM)
{
try {
Import-Module ActiveDirectory -NoClobber
$ManagerDN = (Get-ADUser -Identity $ManagerSAM -Properties * |select DistinguishedName).DistinguishedName.ToString().Trim()
$GroupDN = (Get-ADGroup -Identity $GroupName -Properties * |select DistinguishedName).DistinguishedName.ToString().Trim()
$mgr=[ADSI]"LDAP://$ManagerDN";
$identityRef=(Get-ADUser-Filter {DistinguishedName -like$ManagerDN}).SID.Value
$sid=New-Object System.Security.Principal.SecurityIdentifier ($identityRef);
$adRule=New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($sid,`
[System.DirectoryServices.ActiveDirectoryRights]::WriteProperty,`
[System.Security.AccessControl.AccessControlType]::Allow,`
[Guid]"bf9679c0-0de6-11d0-a285-00aa003049e2");#这个数值默认都是这个,除非被修改. 可以通过ADSI中CN=Configuration -> CN=Extended-Rights -> CN=Self-Memberships -> rightsGuid
$grp=[ADSI]"LDAP://$GroupDN";
$grp.InvokeSet("managedBy",@("$ManagerDN"));
$grp.CommitChanges();
[System.DirectoryServices.DirectoryEntryConfiguration]$SecOptions=$grp.get_Options();
$SecOptions.SecurityMasks=[System.DirectoryServices.SecurityMasks]'Dacl'
$grp.get_ObjectSecurity().AddAccessRule($adRule);
$grp.CommitChanges();
}
catch
{
write-host"Update failed..."
}
}
& Set-GroupManager "DCGroups" "Managers"
本文链接: https://www.pstips.net/ps-set-ad-group-manager-can-update-member-list.html
请尊重原作者和编辑的辛勤劳动,欢迎转载,并注明出处!
请尊重原作者和编辑的辛勤劳动,欢迎转载,并注明出处!