Set or Clear "Manager can update membership list" Checkbox with VBScript

Robert Kirchhof

5.00/5 (3 votes)

Aug 28, 2008

CPOL

56129

265

Provide the OU, and set or clear the checkbox on all managed groups within it

Download source - 2.01 KB

Introduction

This program checks or un-checks the "Manager can update membership list" check box for every group contained in the OU specified (if there's a manager assigned).

Background

I recently migrated a bunch of distribution groups from a child domain to its parent using the active directory migration tool. In the process, the check box permitting managers to modify groups members was cleared. Manually going in and opening every group, checking to see if it was managed and then checking the box was out of the question, so I began researching a way to script it. Using the code in a blog by Arnout van der Vorst found here, I was able to create this program.

Using the Code

This program Sets or Clears the "Manager can update members" check box for every group in the OU specified.

Usage Cscript MngChkBox.vbs Distinguished Name of OU <1 or 0>

Example 1

cscript MngChkBox.vbs ou=Distribution Groups,ou=Users & Groups,ou=Sales 1

This will set the checkbox.

Example 2

cscript MngChkBox.vbs ou=Distribution Groups,ou=Users & Groups,ou=Sales 0

This will clear it.

The Code

'MngChkBox.vbs
'Version 1.2
'By Robert Kirchhof

'Usage MngChkBox  <1 or 0>
'Sets or Clears the "Manager can update members" check box for every group in
'the OU specified.
'cscript MngChkBox.vbs ou=Distribution Groups,ou=Users & Groups,ou=Sales 1 will set
'the checkbox
'cscript MngChkBox.vbs ou=Distribution Groups,ou=Users & Groups,ou=Sales 0 will clear it.
'strCompair = "DC=campus" 'Used to determine if Manager object is in a child domain.
'see line 91
'Line above is only needed when the management object (Group or User) might be in
'another domain.
'line 61 automatically sets the correct NetBios name for single domain applications
'of this program.

wscript.echo " "
wscript.echo " " 'Two line feeds for looks
Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5
Const ADS_RIGHT_DS_WRITE_PROP = &H20
Const ADS_ACEFLAG_INHERIT_ACE = &H00002
Const ADS_ACEFLAG_DONT_INHERIT_ACE = &H0

Const ADS_FLAG_OBJECT_TYPE_PRESENT = &H01
Const ADS_OBJECT_WRITE_MEMBERS = "{BF9679C0-0DE6-11D0-A285-00AA003049E2}"
'===========================================================================
On Error Resume Next
DN = WScript.Arguments(0) 'ou=Distribution Groups,ou=Users & Groups,ou=Sales
intEnabled = WScript.Arguments(1) '1 for Checked, 0 for Not-Checked. Change to zero
                                  'if you want to clear all the check boxes.
'==========================================================
' Check for required argument.
'==========================================================
If (Wscript.Arguments.Count < 1) Then
    Wscript.Echo "Program Name:    MngChkBox.vbs"
    WScript.Echo "Version:    1.2"
    WScript.Echo "Purpose:    Set or Clear the 'Manager can update members' _
				check box for every group in the OU specified."
    WScript.Echo "By Robert Kirchhof"
    Wscript.Echo " "
    WScript.Echo "Usage MngChkBox  <1 or 0>"
    Wscript.Echo
    Wscript.Echo "cscript MngChkBox.vbs ou=Distribution Groups,ou=Users & Groups,_
			ou=Sales,dc=MyDomain,dc=com 1 will set the checkbox"
    Wscript.Echo "cscript MngChkBox.vbs ou=Distribution Groups,ou=Users & Groups,_
			ou=Sales,dc=MyDomain,dc=com 0 will clear it."
    Wscript.Echo
    Wscript.Echo "Required argument  is missing. " _
        & "For example:" & vbCrLf _
        & "cscript MngChkBox.vbs ou=Distribution Groups,ou=Users & Groups,_
			ou=Sales,dc=MyDomain,dc=com 1"
    Wscript.Quit(0)
End If
If (Wscript.Arguments.Count < 2) Then
    Wscript.Echo "Required argument <set> is missing. " _
        & "For example:" & vbCrLf _
        & "cscript MngChkBox.vbs ou=Distribution Groups,ou=Users & Groups,_
			ou=Sales,dc=MyDomain,dc=com 0"
    Wscript.Quit(0)
End If
'==========================================================
' Collect domain information
'==========================================================
Dim objRootDSE
Set objRootDSE = GetObject("LDAP://rootDSE")
strDomainController = objRootDSE.Get("dnsHostName") 'FQGN of DC. Used to bind to group.
'wscript.echo strDomainController
strDomain = objRootDSE.Get("defaultNamingContext")  'Distinguished Name of Domain.
'wscript.echo strDomain
strQuery = DN &","& strDomain
Set WshNetwork = WScript.CreateObject("WScript.Network")
strDomainNT4 = WshNetwork.UserDomain 'NetBios Name of logged on users Domain
'wscript.echo strDomainNT4
Set objOU = GetObject("LDAP://" & strQuery )
objOU.Filter = Array("group")
'==========================================================
'Load Groups into an array.
'==========================================================
Dim arrGroups
i = 0
For Each objUser in objOU
    strLine=objUser.Name
    Redim Preserve arrFileLines(i)
    arrFileLines(i) = strLine
    i = i + 1
Next
'==========================================================
'Process each element
'==========================================================
For Each strLine in arrFileLines
    strCN=strLine 'Sets strCN to name of group
    strGroup = strCN & "," & strQuery 'builds DN of Group
    Set objGroup = GetObject("LDAP://" & strDomainController & "/" & strGroup)
    strManagedBy = objGroup.managedBy 'objGroup.Get("managedBy") 'get managed by

        If IsEmpty(strManagedBy) = FALSE Then 'It isn't empty?
        wscript.echo strCN & " is  managed by " & strManagedBy 'Yes we have 
							'a manager object.
'==========================================================
'Check which Domain the management object is in.
'==========================================================
            'NOTE line 61 automatically sets the correct 
	   'NetBios name for single domain applications of this program.
            'If InStr(strManagedBy,strCompair)>0 Then 
	   'Checks strManagedby for the presents of DC=Campus
            'strDomainNT4 = "campus" 'if found
            'Else
            'strDomainNT4 = "net"    'else must be
            'End if
'===========================================================
        Set objSecurityDescriptor = objGroup.Get("ntSecurityDescriptor")
        Set objDACL = objSecurityDescriptor.DiscretionaryACL
        Set objUser = GetObject("LDAP://" & objGroup.Get("managedBy"))

            if intEnabled = 0 Then 'clear the check box
                For Each objACE in objDACL
                    If InStr(1, objACE.Trustee, objUser.Get("sAMAccountName"), _
			VbTextCompare) Then
                    objDACL.RemoveAce(objACE)
                    wscript.echo objACE.Trustee & " Can NOT manage users in " & strCN
                End If
                Next
                    Else 'Checks the check box
                    Set objACE = CreateObject("AccessControlEntry")
                    objACE.Trustee = strDomainNT4 & "\" & objUser.Get("sAMAccountName")
                    wscript.echo objACE.Trustee & " Can now manage users in " & strCN
                    objACE.AccessMask = ADS_RIGHT_DS_WRITE_PROP
                    objACE.AceFlags = ADS_ACEFLAG_DONT_INHERIT_ACE
                    objACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
                    objACE.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT
                    objACE.objectType = ADS_OBJECT_WRITE_MEMBERS
                    objDACL.AddAce(objACE)
                    end if

objSecurityDescriptor.DiscretionaryACL = objDACL
objGroup.Put "ntSecurityDescriptor", Array(objSecurityDescriptor)
objGroup.SetInfo

Else 'No manager object assigned.
wscript.echo strCN & " has no manager."
end If
WScript.Echo " " 'Blank line feed
Next

History

28^th August, 2008: Initial post