A messaging colleague asked how to check which principals have the Write Members permission on distribution lists. I sent him a sample of how to query the WriteMember WriteProperty of a distribution group imaginatively called, er, DistributionGroup…
#Get WriteMember WriteProperty
$WriteMemberGuid = "bf9679c0-0de6-11d0-a285-00aa003049e2"
(Get-Acl -Path "AD:CN=Distribution Group,OU=Groups").access |
Where-Object {($_.ActiveDirectoryRights -eq "WriteProperty") -and ($_.ObjectType -eq $WriteMemberGuid)} |
Format-Table IdentityReference,AccessControlType,IsInherited,ActiveDirectoryRights,@{n="Property";e={((Get-Variable -Name WriteMemberGuid).Name -Split "Guid")[0]}}
Let’s pick this apart…
First up, set up a variable to contain the GUID that is associated with the Write Members property permission – $WriteMemberGuid.
Now, use Get-Acl to get the access property values via the AD: PsDrive.
Then, use Where-Object to see if each discovered access control entry (ACE) right is WriteProperty and also if the ACE’s ObjectType matches the Write Members GUID. If both of these conditions are true then we get an object representing the matched ACE.
