sean-m · September 9, 2016 23:01
diff --git a/Check_Group_Managers.ps1 b/Check_Group_Managers.ps1
 <#
    This script will show who is listed as a group manager and who has
    rights to modify the group members. Just populate the $groupNames
    list with group names, wildcards are allowed.
 #>
 $groupNames = @(
 "Some Group Name"
 )


 # Resolve site-local domain controller
 if ([String]::IsNullOrEmpty($domain_controller)) {
    $global:domain_controller = ""
    $ad_site = [System.DirectoryServices.ActiveDirectory.ActiveDirectorySite]::GetComputerSite().Name
    $tries = 0
    $check_again = $true
    while ($check_again) {
        $dc = $null
        if ($ad_site) {
            $dc = Get-ADDomainController -Discover -ForceDiscover -SiteName $ad_site
            $domain_controller = $dc.HostName[0].ToString()
        }
        else {
            $dc = Get-ADDomainController -Discover -ForceDiscover
            $domain_controller = $dc.HostName[0].ToString()
        }
        $check = [ADSI]"LDAP://$domain_controller/$($dc.DefaultPartition)"
        $check_again = -not [bool]$($check)
    
        $tries++
        if ($tries -eq 5) { throw "Can't find responding domain controller after 5 tries!" }
    }
 }

 $grps = @($groupNames | % { Get-ADGroup -Server $domain_controller -Properties managedBy,msExchCoManagedByLink -Filter {Name -like $_}})

 foreach ($group in $grps) {
    $gdn = $group.DistinguishedName

    $grp = [ADSI]"LDAP://$domain_controller/$gdn"

    # Check acl for group member managers
    $mgr_rule_idrefs = @($grp.get_ObjectSecurity().Access | ? {`
                   -not $_.IsInherited `
                   -and $_.ActiveDirectoryRights -eq "WriteProperty" `
                   -and $_.AccessControlType -eq "Allow" `
                   -and $_.ObjectType -eq "bf9679c0-0de6-11d0-a285-00aa003049e2" })
                   

    if ((-not [String]::IsNullOrEmpty($group.ManagedBy)) -or
        [bool]($group.msExchCoManagedByLink)) {
        
        Write-Host "Checking managers for group: $($group.Name)" -ForegroundColor Cyan
        $cur_primary_manager = $group.ManagedBy
        $cur_co_managers = @($group.msExchCoManagedByLink)

        ""
        "Current primary manager:  $cur_primary_manager"
        "Co-Managers:  $($cur_co_managers | FT -a | Out-String)"
        ""
        "Managers with rights:`n$($mgr_rule_idrefs | % { $_.IdentityReference.ToString() } | FT -a | Out-String)"
        
        # Clear variables
        clv "cur_primary_manager"
        clv "cur_co_managers"
        clv "mgr_rule_idrefs"
    }
    else {
        Write-Host "No Manager: $($group.Name)" -ForegroundColor Yellow
    }
    
    "`n"
 }
	<#
	This script will show who is listed as a group manager and who has
	rights to modify the group members. Just populate the $groupNames
	list with group names, wildcards are allowed.
	#>
	$groupNames = @(
	"Some Group Name"
	)


	# Resolve site-local domain controller
	if ([String]::IsNullOrEmpty($domain_controller)) {
	$global:domain_controller = ""
	$ad_site = [System.DirectoryServices.ActiveDirectory.ActiveDirectorySite]::GetComputerSite().Name
	$tries = 0
	$check_again = $true
	while ($check_again) {
	$dc = $null
	if ($ad_site) {
	$dc = Get-ADDomainController -Discover -ForceDiscover -SiteName $ad_site
	$domain_controller = $dc.HostName[0].ToString()
	}
	else {
	$dc = Get-ADDomainController -Discover -ForceDiscover
	$domain_controller = $dc.HostName[0].ToString()
	}
	$check = [ADSI]"LDAP://$domain_controller/$($dc.DefaultPartition)"
	$check_again = -not [bool]$($check)

	$tries++
	if ($tries -eq 5) { throw "Can't find responding domain controller after 5 tries!" }
	}
	}

	$grps = @($groupNames \| % { Get-ADGroup -Server $domain_controller -Properties managedBy,msExchCoManagedByLink -Filter {Name -like $_}})

	foreach ($group in $grps) {
	$gdn = $group.DistinguishedName

	$grp = [ADSI]"LDAP://$domain_controller/$gdn"

	# Check acl for group member managers
	$mgr_rule_idrefs = @($grp.get_ObjectSecurity().Access \| ? {`
	-not $_.IsInherited `
	-and $_.ActiveDirectoryRights -eq "WriteProperty" `
	-and $_.AccessControlType -eq "Allow" `
	-and $_.ObjectType -eq "bf9679c0-0de6-11d0-a285-00aa003049e2" })


	if ((-not [String]::IsNullOrEmpty($group.ManagedBy)) -or
	[bool]($group.msExchCoManagedByLink)) {

	Write-Host "Checking managers for group: $($group.Name)" -ForegroundColor Cyan
	$cur_primary_manager = $group.ManagedBy
	$cur_co_managers = @($group.msExchCoManagedByLink)

	""
	"Current primary manager: $cur_primary_manager"
	"Co-Managers: $($cur_co_managers \| FT -a \| Out-String)"
	""
	"Managers with rights:`n$($mgr_rule_idrefs \| % { $_.IdentityReference.ToString() } \| FT -a \| Out-String)"

	# Clear variables
	clv "cur_primary_manager"
	clv "cur_co_managers"
	clv "mgr_rule_idrefs"
	}
	else {
	Write-Host "No Manager: $($group.Name)" -ForegroundColor Yellow
	}

	"`n"
	}