Supported model for using a service account (functional user) in Active Directory to automate group membership using scripting


Some departments/colleges may wish to automate membership of groups in Active Directory by using scripting such as PowerShell. To do so, one must make use of a functional user account (service account). NSCs may create such a user account in their department's OU inside Active Directory, and a strong password should be set on the account.

Once the account is created, follow the steps below to give the account permissions to modify a group's membership.

1) Edit the AD object (group) by locating it in Active Directory and double-clicking it to open the "Properties" window.

2) Go to the "Managed By" tab.

3) Click Change.

4) Add the functional user account (service account) as the owner and click OK.

5) Make sure that "Manager can update membership list" is checked.

6) Save the changes to the object.

There are some objects in AD for which an NSC cannot change the owner due to permissions. These fall under the location instead of and normally consist of functional mail groups (FMGs) which are groups that own functional mailboxes, or distribution lists. For these objects, an NSC for the department may change the owner by contacting IT Help Central with the request, the name of the service account (functional user), and list of objects to be changed. IT Help Central will assign an issue in your name to network administrators asking that they make the functional user account the owner of those objects.

TIP: When requesting new distribution lists or functional mailboxes in the future, if you want to manage group membership using scripting you should specify that the desired service account be set as manager. You may do this in the special instructions area of the request form.