设置组的所有者可以更新组员可以有三种方法
1.通过Exchange端的PS命令设置,这些命令在非exchange环境上不可用
2.通过安装Active Roles模块,使用Quest命令实现,但是需要安装第三方软件
3.使用ADSI实现
以下函数使用了方法3实现组管理员可以更新组员
cls function Set-GroupManager($GroupName,$ManagerSAM) { try { Import-Module ActiveDirectory -NoClobber $ManagerDN = (Get-ADUser -Identity $ManagerSAM -Properties * |select DistinguishedName).DistinguishedName.ToString().Trim() $GroupDN = (Get-ADGroup -Identity $GroupName -Properties * |select DistinguishedName).DistinguishedName.ToString().Trim() $mgr=[ADSI]"LDAP://$ManagerDN"; $identityRef=(Get-ADUser-Filter {DistinguishedName -like$ManagerDN}).SID.Value $sid=New-Object System.Security.Principal.SecurityIdentifier ($identityRef); $adRule=New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($sid,` [System.DirectoryServices.ActiveDirectoryRights]::WriteProperty,` [System.Security.AccessControl.AccessControlType]::Allow,` [Guid]"bf9679c0-0de6-11d0-a285-00aa003049e2");#这个数值默认都是这个,除非被修改. 可以通过ADSI中CN=Configuration -> CN=Extended-Rights -> CN=Self-Memberships -> rightsGuid $grp=[ADSI]"LDAP://$GroupDN"; $grp.InvokeSet("managedBy",@("$ManagerDN")); $grp.CommitChanges(); [System.DirectoryServices.DirectoryEntryConfiguration]$SecOptions=$grp.get_Options(); $SecOptions.SecurityMasks=[System.DirectoryServices.SecurityMasks]'Dacl' $grp.get_ObjectSecurity().AddAccessRule($adRule); $grp.CommitChanges(); } catch { write-host"Update failed..." } } & Set-GroupManager "DCGroups" "Managers"
本文链接: https://www.pstips.net/ps-set-ad-group-manager-can-update-member-list.html
请尊重原作者和编辑的辛勤劳动,欢迎转载,并注明出处!
请尊重原作者和编辑的辛勤劳动,欢迎转载,并注明出处!