Set permissions on properties in Active Directory (Write Members in ACL) (Shared mailbox management)

This was one of the trickier tasks to accomplish. The first steps in creating the shared mailbox is not hard, just create the user (disabled) and groups (access group and owner group). But to delegate control of one the groups to the other is another thing. (setting the ManagedBy-attribute is not enough, you need the user(s) to be able to update the membership list aswell. In the GUI this setting is called “Manager can update membership list” which is a tickbox that actually just sets the “write” permission on the “Members” property.

I wrote a function for doing this, which is far from complete, but since it works well for us I thought I should share it.

The usual disclaimer is needed here:
Please make sure you test this before running it production! I have only tested this code for setting the write permission (allow/deny) on the Members property on Groups, nothing else!

When I get the time I will try to expand this to setting access rights on OUs etc. aswell, which would make automated delegation a lot easier. (And pipeline support etc…)

In the meantime, just take it for what it is πŸ™‚

An example on how to use the function is:

Add-ADGroupPropertyPermission -ADObject TheMailboxAccessGroup -MasterObject TheMailboxOwnerGroup -AccessRight WriteProperty -AccessRule Allow -Property Member

And you are done!

The code is available here.

6 thoughts on “Set permissions on properties in Active Directory (Write Members in ACL) (Shared mailbox management)

  1. Pingback: Specifying a single domain controller while keeping redundancy in a PowerShell script | DollarUnderscore

    1. Dhiepiga 1995

      Hi when i tried this code im getting this error “Add-ADGroupPropertyPermission : The term ‘Add-ADGroupPropertyPermission’ is not
      recognized as the name of a cmdlet, function, script file, or operable program.
      Check the spelling of the name, or if a path was included, verify that the path is
      correct and try again.”
      Please give solution for this

  2. James

    This works great! We had set our AD Admin group deny permissions on a slew of groups that required approvals to prevent those groups from being added during user copies. This will save my team at least an hour or more of very tedious work.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.