I would like to programatically allow a given security principal (user or group) in AD to have write permission to the member
attribute on an AD group.
I'm assuming it would be of the form:
$GroupObject = Get-ADGroup $group
$ACL = Get-ACL AD:$GroupObject
$ACE = New-Object System.Security.AccessControl.ActiveDirectoryAccessRule (
$manager,
...
)
$ACL.AddAccessRule($ACE)
Set-ACL -Path AD:$GroupObject -AclObject $ACL
What I'm unable to find is documentation on what else needs to go in the ...
to make this work. Even diving doing it manually and inspecting the resultant ACL Objects is proving difficult!
ActiveDirectory
module loaded in PowerShell, it's now complaining:New-Object : Cannot find type [System.Security.AccessControl.ActiveDirectoryAccessRule]: verify that the assembly containing this type is loaded
. I have triedadd-type -AssemblyName System.DirectoryServices
to no avail. – Michele