Simple way to delegate Active Directory Group Membership Management

Andres Bohren
Simple way to delegate Active Directory Group Membership Management

Hi All,

In a recent Migration, i had the Requirement to add Members to an Active Directroy Group to control a GPO that is assigned with the AD Group.

In other words, delegate Group Membership Management to a Service Account, that controls the Migration.

The goal was to archieve this in the simplest form possible.

Demo

I’ve created an AD Group “G-DL-DemoManager” and added the User m.muster to the Managed By (managedBy AD Attribute)

I’ve started the PowerShell with “Run as diffrent user”

Logged in as “m.muster” who is the Manager of the Group

I’ve tryed to add Group Members with the following ActiveDirectory PowerShell Module Commandlet

# Proove the looged in User
whoami

# Import ActiveDirectory PowerShell Module
Import-Module ActiveDirectory

# Get AD Group
Get-ADGroup -Identity G-DL-DemoManager

# Add AD Group Member
Add-ADGroupMember -Identity G-DL-DemoManager -Members a.bohren

Now i enable “Manager can update membership list” on the Distribution Group

This time, i am able to add AD Group Members

# Add AD Group Member
Add-ADGroupMember -Identity G-DL-DemoManager -Members a.bohren

# Get AD Group Member
Get-ADGroupMember -Identity G-DL-DemoManager

Summary

I’ve showed you a simple way to delegate the Group Member Management to a specific Account. Hopefully this helps you in a similar situation.

Regards
Andres Bohren

PowerShell Logo

Security Logo

Windows Logo