none
Removing group from user's MemberOf -versus- removing user from group RRS feed

  • Question

  • Say you have two separate admin groups. One manages groups and one users, and they do not have cross-permissions on each other's objects.

    A member of the user-managers wants to remove all of a users groups using Powershell. He can successfully manually access the user's AD object and remove the groups (because he has permissions to the user). But I am unable to write a script to automate this because it appears the commands you'd use perform two steps: query the user for his group memberships and then remove the user from that group--an action against the group (such as Remove-ADPrincipalGroupMembership or  Remove-ADGroupMember).

    Is there some way to target the user object for MemberOf removals rather than targeting the group object? 


    Tony Auby


    • Edited by TonyAuby Thursday, April 28, 2016 5:10 PM typo
    Thursday, April 28, 2016 5:10 PM

Answers

  • That is correct.

    You can easily delegate all management to anyone without making them an administrator by adding the user to the "Account Operators" group.

    You can assign a manager to a group using the GUI and they will be able to manage the users in the group.


    \_(ツ)_/

    • Marked as answer by TonyAuby Thursday, April 28, 2016 6:18 PM
    Thursday, April 28, 2016 6:12 PM

All replies

  • Make the manager on the group and the user and check the box "Manager can update membership list".  This is not a PowerShell issue it is just an ADUC task.  You can do it with PowerShell but assigning the permission is easier by just checking the box.


    \_(ツ)_/

    Thursday, April 28, 2016 5:23 PM
  • The solution cannot make changes to the AD objects in anyway. This is a large corp, and if I explained the details you'd understand.

    That being the case, so i know i can update various properties of a user object with PS commands (set-aduser, etc.). But you are saying, there is no Set-ADUserGroups, or any .NET class i can use, etc., that does not require me to have permissions to the group object?

    And yet, i can go to the user object in AD and remove the same groups i do not have permissions to.

    I know this is probably related to the nature of the linked value 'group membership', etc., so i could understand if this is the case.


    Tony Auby


    • Edited by TonyAuby Thursday, April 28, 2016 6:12 PM add sentence
    Thursday, April 28, 2016 6:08 PM
  • That is correct.

    You can easily delegate all management to anyone without making them an administrator by adding the user to the "Account Operators" group.

    You can assign a manager to a group using the GUI and they will be able to manage the users in the group.


    \_(ツ)_/

    • Marked as answer by TonyAuby Thursday, April 28, 2016 6:18 PM
    Thursday, April 28, 2016 6:12 PM
  • The PowerShell cmdlets cannot modify the memberOf attribute directly, because it is a back linked attribute. The corresponding forward linked attribute is the member attribute of the group object. In fact, the memberOf attribute value is technically not saved in AD. Instead, a link table refers the memberOf values to the corresponding member attributes of the groups.

    If a person has permissions to modify user objects, but not group objects, I would suspect that this person would be unable to modify the user group memberships. This is because doing so requires updating the member attribute of the corresponding group. I assume you see that such users can modify the user group membership in ADUC. I have not tested this. But if that is the case, ADUC must be doing something special to allow someone to modify a user group membership when the person does not have permissions to modify the corresponding groups. This does not mean that it can be done in PowerShell. The PowerShell AD cmdlets cannot modify back linked attributes, like memberOf, directly. But this seems to be an unusual situation (where a person has permissions to modify the user but not the groups). I have never tested your situation (other than to verify that the AD cmdlets cannot modify back linked attributes).

    Wiki article describing what I have tested linked here:

    http://social.technet.microsoft.com/wiki/contents/articles/33495.powershell-ad-module-cmdlets-cannot-clear-add-remove-or-replace-back-link-attributes.aspx


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Thursday, April 28, 2016 6:24 PM
    Moderator