Wolfgang Sommergut Thu, Jun 15 2023
When a user joins a computer to an AD domain, they automatically become the owner of the corresponding AD object. This is why standard users should not have the domain join permission. If they still own computer objects, it is recommended for security reasons to replace them with a service account.
As a best practice, Microsoft recommends revoking the domain join permission from regular users. Instead, it is advised to delegate this task to service accounts whose permissions are tailored to this purpose. By doing so, a known attack vector is eliminated.
Easily deploy and centrally manage your phone system in your Windows network
If the domain join is delegated to specific accounts after end users have already added numerous computers to the domain, it is recommended that the owner of these computer objects be changed.
This also applies if a domain admin has been used for this purpose until now.
Active Directory Users and Computers
To view the permissions and the owner of a computer object in AD Users and Computers (ADUC), open the properties of the computer object, switch to the Security tab, and click Advanced.
Edit the owner of a computer object in Active Directory with AD Users and Computers
If necessary, you can enter a new owner by clicking the Change link in that section.
In ADUC, you can only edit the permissions of individual objects. If you select multiple objects, the Properties dialog will not display the Security tab.
Display owner with PowerShell
For bulk operations, it is therefore recommended to use PowerShell. If you first want to get an overview of multiple objects’ ownership, there are several options available.
One approach is to generate a list of computer names and owners by expanding the nTSecurityDescriptor attribute using Select-Object:
Get-ADComputer –Filter * -properties ntSecurityDescriptor -PipelineVariable p |
select -ExpandProperty ntSecurityDescriptor |
select @{n=”Computer”;e={ $p.name }}, @{n=”Owner”;e={ $_.owner }}
Display all domain computers and their owners with PowerShell
Alternatively, you can use Get-ACL to retrieve the owner for each computer individually. When outputting the results using Format-List, you can use Trimstart() to remove the leading “CN=” from PSChildName:
Get-ADComputer –Filter * |
foreach{Get-Acl -Path “AD:$($_.DistinguishedName)“} |
Format-List @{n=”Name”;e={$_.PSChildName.Trimstart(“CN=”)}}, @{n=”Owner”;e={$_.owner}}
This variant has the advantage of generating the necessary ACL objects, which are required if you want to change the owner. The following script accomplishes this task:
$user = new-object system.security.principal.ntaccount(“contoso\djoin”)
Get-ADComputer –filter ‘name -like “win11*”‘ |
foreach{
$acl = Get-Acl -Path “AD:$($_.DistinguishedName)“
$acl.SetOwner($user)
Set-Acl -Path “AD:$($_.DistinguishedName)” $acl
}
In this example, all computers whose names begin with “Win11” are assigned contoso\djoin as the new owner.
Assign a new owner to computer objects with Set Acl
It is worth mentioning that to use the SetOwner method, you need to provide a system.security.principal.ntaccount object. However, Get-ADuser returns objects of the type Microsoft.ActiveDirectory.Management.ADUser. If you want to retrieve the principal using this cmdlet, then you need to call it as follows:
$user = New-Object System.Security.Principal.SecurityIdentifier (Get-ADUser -Identity “myuser”)
Summary
For security reasons, it is not recommended to let users join PCs to an AD domain. However, if you have allowed this in the past, it is advisable to assign new owners to the computer objects.
Source :
https://4sysops.com/archives/change-the-owner-of-computer-objects-in-active-directory/