Delegate management of a group – Part One

As an administrator in larger companies, you are frequently task to create (security/distribution) groups in Active Directory and assign permissions to them in order to grant the users access to resources. In addition you are asked to grant managers/supervisors the rights to update AD groups’ membership without giving your Domain Admin rights.

What you can do?

Firstly, employ the Managed By attribute in the AD group’s properties as an administrative convenience to designate “group admins” who will be able then to change the list of group members.

Secondly, employ PowerShell scripts to automate creation of Active Directory objects (such as groups and users, adding group members) and set the managedBy property for all created group objects.

In this blog, I will provide three PowerShell scripts for the following:

  • Bulk creation of the security groups in Active Directory;
  • Setting the managedBy property and adding a security group as the group manager;
  • Adding the groups’ members from a csv file.

The first script imports a csv file for bulk creation of the security groups, as follows:

CSV file, named Group.csv has the following data, and script will create a few security groups in three different OU.

Name,Description,OUName
AFL ABC 01,Access to the \\ShareName\…\ABC,Warehouse
AFL DEF 02,Access to the \\ShareName\…\DEF,Warehouse
AFL GHI 03,Access to the \\ShareName\…\GHI,Warehouse
AFL JKL 04,Access to the \\ShareName\…\ABC,Accounting
AFL MNO 05,Access to the \\ShareName\…\EFG,Accounting
AFL PQR 06,Access to the \\ShareName\…\XYZ,Accounting
AFL STU 07,Access to the \\ShareName\…\STU,Sales
AFL VWX 08,Access to the \\ShareName\…\VWX,Sales

 


# Filename: Create-Groups.ps1
# Date:     Jan, 2014
# Author:   Alex Dujakovic
# Description: PowerShell script for bulk creation of security groups
#------------------------------------------------------------------------------------------------------
Import-Module ActiveDirectory
# CSV files
$csvFileGroup = "C:\Test\DelegateGroupManagement\Group.csv"
$logListOfGroups = "C:\Test\DelegateGroupManagement\GroupList.txt"
$logErrorFile = "C:\Test\DelegateGroupManagement\GroupError_Log.txt"
#------------------------------------------------------------------------------------------------------
Function Create-Groups($csvFile, $logGroupsCreated, $logErrors){
    If(Test-Path -Path $csvFile){
        Import-Csv -Path $csvFile |
        foreach{
                try
                {
                  $OU = $_.OUName
                  New-ADGroup -Name $_.Name -Path (Get-ADOrganizationalUnit -LDAPFilter "(Name=$OU)").DistinguishedName `
                  -GroupCategory Security -GroupScope Global `
                  -DisplayName $_.Name -Description $_.Description

                  "$($_.Name)" | Out-File -FilePath $logGroupsCreated -Append
                }
                catch [Microsoft.ActiveDirectory.Management.ADException]
                {
                    "GROUP CREATE: AD Exception - group may already exist" | Out-File -FilePath $logErrors -Append
                }
                catch
                {
                    "GROUP CREATE: $($_.Name) - group creation failed" | Out-File -FilePath $logErrors -Append
                }

        } # End foreach
    }
    else
    {
    "FILE NOT FOUND: Please check the path to $($csvFileGroup) file." | Out-File -FilePath $logErrors -Append
    Exit
    }

} # End of Create-Groups function
#------------------------------------------------------------------------------------------------------
Create-Groups $csvFileGroup $logListOfGroups $logErrorFile

The second script sets the managedBy property for all the groups created by the first script.


# Filename: Assign-GroupManager.ps1
# Date:     Jan, 2014
# Author:   Alex Dujakovic
# Description: PowerShell script to set managedBy property
#------------------------------------------------------------------------------------------------------
Import-Module ActiveDirectory
$manager = "AFL ManagerGroup"
# Log files, GroupList.txt is used as soruce file for group manager assigment
$logListOfGroups = "C:\Test\DelegateGroupManagement\GroupList.txt"
$logErrorFile = "C:\Test\DelegateGroupManagement\GroupError_Log.txt"
#------------------------------------------------------------------------------------------------------
Function Assign-GroupManager($groupList,$logErrors){

If(Test-Path -Path $groupList){
    $groups = Get-Content $groupList
}
else
{
    "FILE NOT FOUND: file $(logListOfGroups) has not been created." | Out-File -FilePath $logErrors -Append
    Exit
}

    $MangedByDN = (Get-ADGroup -Identity $manager).DistinguishedName

Function New-ADACE {
# Hey, Scripting Guy!
# http://blogs.technet.com/b/heyscriptingguy/archive/2010/02/12/hey-scripting-guy-february-12-2010.aspx
    Param(  [System.Security.Principal.IdentityReference]$identity,
            [System.DirectoryServices.ActiveDirectoryRights]$adRights,
            [System.Security.AccessControl.AccessControlType]$type,
            [GUID]$Guid)
    $ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($identity,$adRights,$type,$guid)
    $ACE
}

# Create ACE to add to object
$ID = new-object System.Security.Principal.NTAccount("AlexTest\$manager")
$myGuid = [GUID]'BF9679C0-0DE6-11D0-A285-00AA003049E2'

$newAce = New-ADACE $ID "WriteProperty" "Allow" $myGuid

# Get Object DN
Foreach ($group In $groups){
     try
     { $errorActionPreference = "Stop"
        $DN = (Get-ADGroup -Identity $group).DistinguishedName
        $ADObject = [ADSI]"LDAP://$DN"
        # Set Access Entry on Object
        $ADObject.psbase.ObjectSecurity.AddAccessRule($newAce)
        # Set the managedBy property
        $ADObject.Put("managedBy",$MangedByDN)
        # Commit changes to the backend
        $ADObject.psbase.commitchanges()
     }
     catch
     {
        "ASSIGN MANAGER: $group - Failed to assigned a manager" | Out-File -FilePath $logErrors -Append
     }
 }
} # End of Assign-GroupManager function
#------------------------------------------------------------------------------------------------------
Assign-GroupManager $logListOfGroups $logErrorFile

The third script imports a csv file and adds multiple users to multiple security groups:

CSV file, named GroupsAndUsers.csv has the following data

GroupName,AccountName
AFL ABC 01,King.P
AFL ABC 01,Brown.J
AFL ABC 01,Plain.S
AFL DEF 02,Blue.C
AFL DEF 02,Workbench.S
AFL DEF 02,Brown.J
AFL GHI 03,Plain.S
AFL GHI 03,Blue.C
AFL GHI 03,Workbench.S
AFL JKL 04,Smith.A
AFL JKL 04,Blue.C
AFL MNO 05,Smith.A
AFL PQR 06,Blue.C
AFL STU 07,King.P
AFL VWX 08,Smith.A
AFL VWX 08,Brown.J
AFL VWX 08,Blue.C


# Filename: Add-GroupMembers.ps1
# Date:     Jan, 2014
# Author:   Alex Dujakovic
# Description: PowerShell script to add multiple members to multiple groups in AD
#------------------------------------------------------------------------------------------------------
Import-Module ActiveDirectory
# CSV files
$listOfGroupsAndMembers = "C:\Test\DelegateGroupManagement\GroupsAndUsers.csv"
$logErrorFile = "C:\Test\DelegateGroupManagement\GroupError_Log.txt"
#------------------------------------------------------------------------------------------------------
Function Add-GroupMembers($usersToAddAsMember,$logErrors){

If(Test-Path $usersToAddAsMember){
    $usersToAdd = Import-Csv $usersToAddAsMember
}
else
{
    "FILE NOT FOUND: Please check the path to $($listOfGroupsAndMembers) file." | Out-File -FilePath $logErrors -Append
    Exit
}

Foreach($user in $usersToAdd){
    try
    {   $errorActionPreference = "Stop"
        Add-Adgroupmember -identity $user.GroupName -member (Get-ADUser $user.Accountname)
    }
    catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException]
    {
        "ADD USER: $($user.GroupName) not exist" | Out-File -FilePath $logErrors -Append
    }
    catch [Microsoft.ActiveDirectory.Management.ADException]
    {
        "ADD USER: $($user.GroupName) already has a member $($user.Accountname)" | Out-File -FilePath $logErrors -Append
    }
 }
} # End of Add-GroupMembers function
#------------------------------------------------------------------------------------------------------
Add-GroupMembers $listOfGroupsAndMembers $logErrorFile

All the above PowerShell functions could be combined in one PowerShell script. You can find this script in the download section, along with above described functions and csv files.

Now that you have done that, how do your domain users (managers/supervisors) manage groups’ membership from their computers? The answer (and possible solutions) will be described in the part two of this blog.





Please note: Although the author has made every reasonable attempt to achieve complete accuracy of the content, he assumes no responsibility for errors or omissions. Also, you should use this information as you see fit, and at your own risk.

Leave a Reply

Your email address will not be published. Required fields are marked *