Setting "Write member attribute" in ACL on Active Directory object with powershell

Question

I would like to programatically allow a given security principal (user or group) in AD to have write permission to the member attribute on an AD group.

I'm assuming it would be of the form:

$GroupObject = Get-ADGroup $group
$ACL = Get-ACL AD:$GroupObject
$ACE = New-Object System.Security.AccessControl.ActiveDirectoryAccessRule (
    $manager,
    ...
)
$ACL.AddAccessRule($ACE)
Set-ACL -Path AD:$GroupObject -AclObject $ACL

What I'm unable to find is documentation on what else needs to go in the ... to make this work. Even diving doing it manually and inspecting the resultant ACL Objects is proving difficult!

Answer 1

You'd use this constructor for ActiveDirectoryAccessRule: https://msdn.microsoft.com/en-us/library/cawwkf0x(v=vs.110).aspx

It should look something like this:

$ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule(
    $manager.SID,
    [System.DirectoryServices.ActiveDirectoryRights]::WriteProperty,
    [System.Security.AccessControl.AccessControlType]::Allow,
    "bf9679c0-0de6-11d0-a285-00aa003049e2",
    [DirectoryServices.ActiveDirectorySecurityInheritance]::All
)

Note that you need to pass the SID of the user ($manager.SID).

The mysterious GUID is the GUID of the member attribute. You can find that by looking at the Microsoft documentation for the attributes. This is the page for member, where you can find the "System-Id-Guid": https://msdn.microsoft.com/en-us/library/ms677097(v=vs.85).aspx