Skip to content
Categories:

Allow add/remove members in an AD group

Post date:
Author:

By doing this programmatically you can give multiple users or group(s) the right to add or remove users from an AD group. If you do this in ADUC you can only give the user you set as ‘Managed by’ the permissions.

With Powershell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
$user = Get-ADUser -identity [username]
$group = [GroupName]

$GroupObject = Get-ADGroup $group
$ACL = Get-ACL AD:$GroupObject
$ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule(
    $user.SID,
    [System.DirectoryServices.ActiveDirectoryRights]::WriteProperty,
    [System.Security.AccessControl.AccessControlType]::Allow,
    "bf9679c0-0de6-11d0-a285-00aa003049e2",
    [DirectoryServices.ActiveDirectorySecurityInheritance]::none
)
$ACL.AddAccessRule($ACE)
Set-ACL -Path AD:$GroupObject -AclObject $ACL

With dsacl.exe

1
dsacls.exe "CN=GroupName,CN=Users,DC=Domain,DC=Local" /G "domain\UserName:WP;member"

Powershell functions (to add to a module)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
function Set-ADGroupPermissions
{
  <#
      .SYNOPSIS
      Set special privilege in AD
      .DESCRIPTION
      The privileges you can set in this version:
      - User or group that has the permission to change the members of in an AD group
      .EXAMPLE
      Set-ADGroupPermissions -UserName [Username] -TargetGroupName [GroupName] -Privilege AddRemoveMembers
      .EXAMPLE
      Set-ADGroupPermissions -GroupName [Groupname] -TargetGroupName [GroupName] -Privilege AddRemoveMembers
      .NOTES
      Author: Stian Hammer Sæten
      Version: 1.0
     
  #>
  [CmdletBinding()]
  param
  (
    [Parameter(Mandatory = $true, HelpMessage = 'Username for the user you will give permissions to', Position = 0, ParameterSetName = 'User')]
    [String]
    $UserName,

    [Parameter(Mandatory = $true, HelpMessage = 'Groupname for the group you will give permissions to', Position = 0, ParameterSetName = 'Group')]
    [String]
    $GroupName,

    [Parameter(Mandatory = $true, HelpMessage = 'The group you will set the permission on', Position = 1)]
    [String]
    $TargetGroupName,
   
    [Parameter(Mandatory = $true, HelpMessage = 'The permissions you will set', Position = 2)]
    [ValidateSet('AddRemoveMembers')]
    [String]
    $Privilege
  )

  switch ($Privilege) {
    AddRemoveMembers { $GUID = 'bf9679c0-0de6-11d0-a285-00aa003049e2' }
  }

  if ($PSCmdlet.ParameterSetName -eq 'User')
  {
    $ADobject = Get-ADUser -Identity $UserName
  }
  if ($PSCmdlet.ParameterSetName -eq 'Group')
  {
    $ADobject = Get-ADGroup -Identity $GroupName
  }

  $GroupObject = Get-ADGroup -Identity $TargetGroupName
  $ACL = Get-Acl -Path AD:$GroupObject
  $ACE = New-Object -TypeName System.DirectoryServices.ActiveDirectoryAccessRule -ArgumentList (
    $ADobject.SID,
    [System.DirectoryServices.ActiveDirectoryRights]::WriteProperty,
    [System.Security.AccessControl.AccessControlType]::Allow,
    $GUID,
    [DirectoryServices.ActiveDirectorySecurityInheritance]::none
  )
  $ACL.AddAccessRule($ACE)
  Set-Acl -Path AD:$GroupObject -AclObject $ACL

  Get-ADGroupPermissions -TargetGroupName $TargetGroupName -Privilege $Privilege |
  Select-Object -Property @{
    Name       = 'Identity'
    Expression = {
      $_.IdentityReference
    }
  }, Privilege |
  Sort-Object -Property Identity
}


function Remove-ADGroupPermissions
{
  <#
      .SYNOPSIS
      Remove special privilege in AD
      .DESCRIPTION
      The privileges you can remove in this version:
      - User or group that has the permission to change the members of in an AD group
      .EXAMPLE
      Remove-ADGroupPermissions -UserName [Username] -TargetGroupName [GroupName] -Privilege AddRemoveMembers
      .EXAMPLE
      Remove-ADGroupPermissions -GroupName [Groupname] -TargetGroupName [GroupName] -Privilege AddRemoveMembers
      .NOTES
      Author: Stian Hammer Sæten
      Version: 1.0
     
  #>
  [CmdletBinding()]
  param
  (
    [Parameter(Mandatory = $true, HelpMessage = 'Username for the user you will remove permissions from', Position = 0, ParameterSetName = 'User')]
    [String]
    $UserName,

    [Parameter(Mandatory = $true, HelpMessage = 'Groupname for the group you will remove permissions from', Position = 0, ParameterSetName = 'Group')]
    [String]
    $GroupName,

    [Parameter(Mandatory = $true, HelpMessage = 'The group you will remove the permission from', Position = 1)]
    [String]
    $TargetGroupName,
   
    [Parameter(Mandatory = $true, HelpMessage = 'The permissions you will remove', Position = 2)]
    [ValidateSet('AddRemoveMembers')]
    [String]$Privilege
  )

  switch ($Privilege) {
    AddRemoveMembers { $GUID = 'bf9679c0-0de6-11d0-a285-00aa003049e2' }
  }

  if ($PSCmdlet.ParameterSetName -eq 'User')
  {
    $ADobject = Get-ADUser -Identity $UserName
  }
  if ($PSCmdlet.ParameterSetName -eq 'Group')
  {
    $ADobject = Get-ADGroup -Identity $GroupName
  }

  $GroupObject = Get-ADGroup -Identity $TargetGroupName
  $ACL = Get-Acl -Path AD:$GroupObject
  $ACE = New-Object -TypeName System.DirectoryServices.ActiveDirectoryAccessRule -ArgumentList (
    $ADobject.SID,
    [System.DirectoryServices.ActiveDirectoryRights]::WriteProperty,
    [System.Security.AccessControl.AccessControlType]::Allow,
    $GUID,
    [DirectoryServices.ActiveDirectorySecurityInheritance]::none
  )
  $ACL.RemoveAccessRule($ACE)
  Set-Acl -Path AD:$GroupObject -AclObject $ACL

  Get-ADGroupPermissions -TargetGroupName $TargetGroupName -Privilege $Privilege |
  Select-Object -Property @{
    Name       = 'Identity'
    Expression = {
      $_.IdentityReference
    }
  }, Privilege |
  Sort-Object -Property Identity
}


function Get-ADGroupPermissions
{
  <#
      .SYNOPSIS
      Get special privilege in AD
      .DESCRIPTION
      The privileges you can get in this version:
      - User or group that has the permission to change the members of in an AD group
      .EXAMPLE
      Get-ADGroupPermissions -TargetGroupName [GroupName] -Privilege AddRemoveMembers
      .NOTES
      Author: Stian Hammer Sæten
      Version: 1.0
     
  #>
  [CmdletBinding()]
  param
  (
    [Parameter(Mandatory = $true, HelpMessage = 'The group you will get the permission on', Position = 1)]
    [String]
    $TargetGroupName,
   
    [Parameter(Mandatory = $true, HelpMessage = 'The permissions you will get', Position = 2)]
    [ValidateSet('AddRemoveMembers')]
    [String]
    $Privilege
  )

  switch ($Privilege) {
    AddRemoveMembers { $GUID = 'bf9679c0-0de6-11d0-a285-00aa003049e2' }
  }

  $GroupObject = Get-ADGroup -Identity $TargetGroupName
  $ACL = Get-Acl -Path AD:$GroupObject
  $ACL.Access |
  Where-Object -Property ObjectType -EQ -Value $GUID |
  Select-Object -Property *, @{
    Name       = 'Privilege'
    Expression = {
      $Privilege
    }
  }
}