PowerShell Module, for making the process of changing the Owner of ADObjects simple.
- Fixed: Not stopping on Errors
- First Version published to PowerShellGallery
- Minor changes to the filestructure of the Module
- ScriptFileInfo added on the scriptfiles in the Module
- MIT License added - Yes, it's free to use
- First version published on GitHub
Every ADObject has an owner, the Owner is by default the Identity creating it. Normally if a member of the 'Domain Admins' or 'Enterprise Admins' creates an Object, the owner of the Object would be set as the 'Domain Admins' or 'Enterprise Admins'. Also per default in ADDS, a user can domain-join up to 10 computers, by doing so, if the user is not member of any Privliged Group, the owner of the Computer being domain-joined will be the user joining it to the domain.
There are several risks by this 'feature', one being if a hacker get hold of the credentials for the User, they have indirectly Full Control over the Object, being an Owner on its own don't grant Full Control, but by being the Owner they have permission to alter the Permissions on the Object, which gives the hacker the option to take Full Control over the Object.
The easy way to mitigate this problem, is obviously to make sure that no unprivliged users, have ownership of any of the Objects in your Active Directory. The ADObjectOwner Module, makes this task rather simple. Since the Get-ADObjectOwner takes pipeline-input, you are able to pipe several ADObject into the function, and get an output with the DistinguishedName and the Owner. Now it's pretty straight forward to sort in the Objects based on the Owner. With the combination of Get-ADObjectOwner, Get-SecurityPrincipalNTAccount and Set-ADObjectOwner, it's possible to handle this risk, without going through all the Objects manually. See Examples for more on this.
This Module have been Published to the PowerShell Gallery, so installing is as simple AS:
Install-Module -Name ADObjectOwner
When using the Set-ADObjectOwner, use it with the Get-SecurityPrincipalNTAccount output in a variable like shown below:
PS C:\> $newOwner = Get-SecurityPrincipalNTAccount -SAMAccountName 'Domain Admins'
PS C:\> Get-ADObject -SearchBase "OU=TestOU,DC=YourDomain,DC=local" -Filter * | Get-ADObjectOwner | Where-Object { $_.Owner -ne $newOwner } | Set-ADObjectOwner -Owner $newOwner
DistinguishedName Owner
----------------- -----
CN=JohnSmith,OU=TestOU,DC=YourDomain,DC=local YourDomain\Domain Admins
CN=WS001,OU=TestOU,DC=YourDomain,DC=local YourDomain\Domain Admins
PS C:\> _
The list of the functions contained in this module.
<#
.SYNOPSIS
Gets Object Owner, from the Access Control List on an ADObject.
.DESCRIPTION
Gets the ACL of an ADObject, and returns the Object Owner
.PARAMETER DistinguishedName
The DistinguishedName of the Object you want to get the Owner of.
.EXAMPLE
PS C:\> Get-ADObjectOwner -DistinguishedName 'OU=TestOU,DC=Dev,DC=local'
DistinguishedName Owner
----------------- -----
OU=TestOU,DC=Dev,DC=local Dev\Domain Admins
.NOTES
FUNCTION: Set-ADObjectOwner
AUTHOR: Tom Stryhn
GITHUB: https://github.com/tomstryhn/
.INPUTS
[string]
.OUTPUTS
[PSCustomObject]
.LINK
Set-ADObjectOwner
#><#
.SYNOPSIS
Validates a Security Principal NT Account, and outputs it.
.DESCRIPTION
Validates a Security Principal NT Account, and outputs it, by looking up the SID on the entered
NT Account, and retrieves the Account associated with the SID, and compares the sAMAccount name
of the two. If the Account can not be validated it will not be returned.
.PARAMETER SAMAccountName
The sAMAccount name wanted.
.PARAMETER Domain
Domain, if other than the one being run from, ie. if you need 'Enterprise Admins' of a root domain.
.EXAMPLE
PS C:\> Get-SecurityPrincipalNTAccount -SAMAccount 'DomainUser' -Domain 'Dev'
Value
-----
Dev\DomainUser
.NOTES
FUNCTION: Get-SecurityPrincipalNTAccount
AUTHOR: Tom Stryhn
GITHUB: https://github.com/tomstryhn/
.INPUTS
[string],[string]
.OUTPUTS
[System.Security.Principal.NTAccount]
#><#
.SYNOPSIS
Sets the Access Control List Owner on an AD Object
.DESCRIPTION
Sets the Access Control List Owner on an AD Object
## CAUTION ## - This script is provided on an “AS-IS” basis, any wrongful use could cause
irrevesible changes to Active Directory and related services. Therefore use it
with great caution.
.PARAMETER DistinguishedName
The DistinguishedName of the Object you want to set the Owner on.
.PARAMETER Owner
The Owner to be set.
.EXAMPLE
PS C:\> Set-ADObjectOwner -DistinguishedName 'OU=TestOU,DC=Dev,DC=local' -Owner (Get-SecurityPrincipalNTAccount -SAMAccount 'Domain Admins')
DistinguishedName Owner
----------------- -----
OU=TestOU,DC=Dev,DC=local Dev\Domain Admins
.NOTES
FUNCTION: Set-ADObjectOwner
AUTHOR: Tom Stryhn
GITHUB: https://github.com/tomstryhn/
.INPUTS
[string],[System.Security.Principal.NTAccount]
.OUTPUTS
[PSCustomObject]
.LINK
Get-ADObjectOwner
Get-SecurityPrincipalNTAccount
#>