Click here to Skip to main content
Click here to Skip to main content

Set or Clear "Manager can update membership list" Checkbox with VBScript

, 28 Aug 2008 CPOL
Rate this:
Please Sign up or sign in to vote.
Provide the OU, and set or clear the checkbox on all managed groups within it

Introduction

This program checks or un-checks the "Manager can update membership list" check box for every group contained in the OU specified (if there's a manager assigned).

Background

I recently migrated a bunch of distribution groups from a child domain to its parent using the active directory migration tool. In the process, the check box permitting managers to modify groups members was cleared. Manually going in and opening every group, checking to see if it was managed and then checking the box was out of the question, so I began researching a way to script it. Using the code in a blog by Arnout van der Vorst found here, I was able to create this program.

Using the Code

This program Sets or Clears the "Manager can update members" check box for every group in the OU specified.

Usage Cscript MngChkBox.vbs Distinguished Name of OU <1 or 0>

Example 1

cscript MngChkBox.vbs ou=Distribution Groups,ou=Users & Groups,ou=Sales 1 

This will set the checkbox.

Example 2

cscript MngChkBox.vbs ou=Distribution Groups,ou=Users & Groups,ou=Sales 0

This will clear it.

The Code

'MngChkBox.vbs
'Version 1.2
'By Robert Kirchhof

'Usage MngChkBox <distinguished /> <1 or 0>
'Sets or Clears the "Manager can update members" check box for every group in
'the OU specified.
'cscript MngChkBox.vbs ou=Distribution Groups,ou=Users & Groups,ou=Sales 1 will set
'the checkbox
'cscript MngChkBox.vbs ou=Distribution Groups,ou=Users & Groups,ou=Sales 0 will clear it.
'strCompair = "DC=campus" 'Used to determine if Manager object is in a child domain.
'see line 91
'Line above is only needed when the management object (Group or User) might be in
'another domain.
'line 61 automatically sets the correct NetBios name for single domain applications
'of this program.

wscript.echo " "
wscript.echo " " 'Two line feeds for looks
Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5
Const ADS_RIGHT_DS_WRITE_PROP = &H20
Const ADS_ACEFLAG_INHERIT_ACE = &H00002
Const ADS_ACEFLAG_DONT_INHERIT_ACE = &H0

Const ADS_FLAG_OBJECT_TYPE_PRESENT = &H01
Const ADS_OBJECT_WRITE_MEMBERS = "{BF9679C0-0DE6-11D0-A285-00AA003049E2}"
'===========================================================================
On Error Resume Next
DN = WScript.Arguments(0) 'ou=Distribution Groups,ou=Users & Groups,ou=Sales
intEnabled = WScript.Arguments(1) '1 for Checked, 0 for Not-Checked. Change to zero
                                  'if you want to clear all the check boxes.
'==========================================================
' Check for required argument.
'==========================================================
If (Wscript.Arguments.Count < 1) Then
    Wscript.Echo "Program Name:    MngChkBox.vbs"
    WScript.Echo "Version:    1.2"
    WScript.Echo "Purpose:    Set or Clear the 'Manager can update members' _
				check box for every group in the OU specified."
    WScript.Echo "By Robert Kirchhof"
    Wscript.Echo " "
    WScript.Echo "Usage MngChkBox <distinguished /> <1 or 0>"
    Wscript.Echo
    Wscript.Echo "cscript MngChkBox.vbs ou=Distribution Groups,ou=Users & Groups,_
			ou=Sales,dc=MyDomain,dc=com 1 will set the checkbox"
    Wscript.Echo "cscript MngChkBox.vbs ou=Distribution Groups,ou=Users & Groups,_
			ou=Sales,dc=MyDomain,dc=com 0 will clear it."
    Wscript.Echo
    Wscript.Echo "Required argument <distinguished /> is missing. " _
        & "For example:" & vbCrLf _
        & "cscript MngChkBox.vbs ou=Distribution Groups,ou=Users & Groups,_
			ou=Sales,dc=MyDomain,dc=com 1"
    Wscript.Quit(0)
End If
If (Wscript.Arguments.Count < 2) Then
    Wscript.Echo "Required argument <set> is missing. " _
        & "For example:" & vbCrLf _
        & "cscript MngChkBox.vbs ou=Distribution Groups,ou=Users & Groups,_
			ou=Sales,dc=MyDomain,dc=com 0"
    Wscript.Quit(0)
End If
'==========================================================
' Collect domain information
'==========================================================
Dim objRootDSE
Set objRootDSE = GetObject("LDAP://rootDSE")
strDomainController = objRootDSE.Get("dnsHostName") 'FQGN of DC. Used to bind to group.
'wscript.echo strDomainController
strDomain = objRootDSE.Get("defaultNamingContext")  'Distinguished Name of Domain.
'wscript.echo strDomain
strQuery = DN &","& strDomain
Set WshNetwork = WScript.CreateObject("WScript.Network")
strDomainNT4 = WshNetwork.UserDomain 'NetBios Name of logged on users Domain
'wscript.echo strDomainNT4
Set objOU = GetObject("LDAP://" & strQuery )
objOU.Filter = Array("group")
'==========================================================
'Load Groups into an array.
'==========================================================
Dim arrGroups
i = 0
For Each objUser in objOU
    strLine=objUser.Name
    Redim Preserve arrFileLines(i)
    arrFileLines(i) = strLine
    i = i + 1
Next
'==========================================================
'Process each element
'==========================================================
For Each strLine in arrFileLines
    strCN=strLine 'Sets strCN to name of group
    strGroup = strCN & "," & strQuery 'builds DN of Group
    Set objGroup = GetObject("LDAP://" & strDomainController & "/" & strGroup)
    strManagedBy = objGroup.managedBy 'objGroup.Get("managedBy") 'get managed by

        If IsEmpty(strManagedBy) = FALSE Then 'It isn't empty?
        wscript.echo strCN & " is  managed by " & strManagedBy 'Yes we have 
							'a manager object.
'==========================================================
'Check which Domain the management object is in.
'==========================================================
            'NOTE line 61 automatically sets the correct 
	   'NetBios name for single domain applications of this program.
            'If InStr(strManagedBy,strCompair)>0 Then 
	   'Checks strManagedby for the presents of DC=Campus
            'strDomainNT4 = "campus" 'if found
            'Else
            'strDomainNT4 = "net"    'else must be
            'End if
'===========================================================
        Set objSecurityDescriptor = objGroup.Get("ntSecurityDescriptor")
        Set objDACL = objSecurityDescriptor.DiscretionaryACL
        Set objUser = GetObject("LDAP://" & objGroup.Get("managedBy"))

            if intEnabled = 0 Then 'clear the check box
                For Each objACE in objDACL
                    If InStr(1, objACE.Trustee, objUser.Get("sAMAccountName"), _
			VbTextCompare) Then
                    objDACL.RemoveAce(objACE)
                    wscript.echo objACE.Trustee & " Can NOT manage users in " & strCN
                End If
                Next
                    Else 'Checks the check box
                    Set objACE = CreateObject("AccessControlEntry")
                    objACE.Trustee = strDomainNT4 & "\" & objUser.Get("sAMAccountName")
                    wscript.echo objACE.Trustee & " Can now manage users in " & strCN
                    objACE.AccessMask = ADS_RIGHT_DS_WRITE_PROP
                    objACE.AceFlags = ADS_ACEFLAG_DONT_INHERIT_ACE
                    objACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
                    objACE.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT
                    objACE.objectType = ADS_OBJECT_WRITE_MEMBERS
                    objDACL.AddAce(objACE)
                    end if

objSecurityDescriptor.DiscretionaryACL = objDACL
objGroup.Put "ntSecurityDescriptor", Array(objSecurityDescriptor)
objGroup.SetInfo

Else 'No manager object assigned.
wscript.echo strCN & " has no manager."
end If
WScript.Echo " " 'Blank line feed
Next

History

  • 28th August, 2008: Initial post

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Share

About the Author

Robert Kirchhof
Network Administrator Non-Profit Christian organization
United States United States
I'm currently responsible for our network's 12 Domain Controllers, Active Directory, DHCP, and DNS inside and out.

Comments and Discussions

 
GeneralMy vote of 5 PinmemberRobert Kirchhof7-Nov-11 12:10 
GeneralMy vote of 5 PinmemberDucatista4-Jan-11 18:44 
struggeling for days trying to get powershell to do this, awesome!
GeneralApply to all PinmemberMember 470562319-Oct-09 8:19 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Mobile
Web04 | 2.8.141029.1 | Last Updated 28 Aug 2008
Article Copyright 2008 by Robert Kirchhof
Everything else Copyright © CodeProject, 1999-2014
Terms of Service
Layout: fixed | fluid