# Owner

## Summary

|                            |             |
| -------------------------- | ----------- |
| **FSProtect ACL Alias**    | Owner       |
| **AD Alias**               | Owner       |
| **Affected Object Types**  | All Objects |
| **Exploitation Certainty** | Certain     |

## Description

The Owner permission in Active Directory identifies who owns an object, such as a user account, group, or organizational unit. Ownership is critical because it grants implicit rights to modify the object's permissions and Access Control Lists (ACLs), enabling administrators to delegate control and manage security effectively. Technically, the Owner permission effectively provides GenericAll + WriteDACL access, giving full control over the object’s security settings.

However, if misconfigured, the Owner permission can introduce significant security vulnerabilities. An attacker who becomes the Owner of an object can modify its permissions to grant themselves elevated rights like Full Control. This allows them to alter or delete the object, change group memberships, reset passwords, and manipulate user accounts. Exploiting this vulnerability can lead to unauthorized access, privilege escalation, and persistent control over critical directory objects, potentially compromising the entire Active Directory environment.

## Identification

### PowerShell

#### Active Directory Module

Using the ActiveDirectory PowerShell module, you can view the Owner of a given AD object.

Function: Get-ADObjectOwner

```powershell
function Find-ADObjectOwner {
    [CmdletBinding()]
    param([string]$Target,[string]$SearchBase, [string]$OutputPath = "ADObjectOwner.csv")
    Import-Module ActiveDirectory -ErrorAction Stop
    try {
        $baseDN = if ($SearchBase) { $SearchBase } else { (Get-ADRootDSE).defaultNamingContext }
        if ($Target) {
            try {
                $objects = @( Get-ADObject -Identity $Target -Properties name,objectClass,distinguishedName )
            } catch {
                Write-Error "Target '$Target' not found or inaccessible: $($_.Exception.Message)"
                return
            }
        } else {
            Write-Host ("Enumerating objects under '{0}'..." -f $baseDN)
            $objects = Get-ADObject -SearchBase $baseDN -LDAPFilter "(objectClass=*)" -ResultSetSize $null -Properties name,objectClass,distinguishedName
        }
        if (-not $objects) {
            Write-Output "No objects found."
            return
        }
        $i = 0
        $total = $objects.Count
        $results = foreach ($obj in $objects) {
            $i++
            if ($total -gt 1) {
                Write-Progress -Activity "Reading owners" -Status "$i / $total : $($obj.DistinguishedName)" -PercentComplete (($i / $total) * 100)
            }
            try {
                $acl = Get-Acl "AD:$($obj.DistinguishedName)"
                $ownerRaw = $acl.Owner
                $ownerName = $null
                $ownerSid  = $null
                try {
                    if ($ownerRaw -match '^S-1-') {
                        $sid = New-Object System.Security.Principal.SecurityIdentifier($ownerRaw)
                        $ownerSid  = $sid.Value
                        $ownerName = ($sid.Translate([System.Security.Principal.NTAccount])).Value
                    } else {
                        $ownerName = $ownerRaw
                        $nt = New-Object System.Security.Principal.NTAccount($ownerRaw)
                        $ownerSid  = ($nt.Translate([System.Security.Principal.SecurityIdentifier])).Value
                    }
                } catch {
                    $ownerName = $ownerRaw
                    $ownerSid  = $ownerRaw
                }
                [PSCustomObject]@{
                    Name        = $obj.Name
                    ObjectClass = ($obj.ObjectClass -join ';')
                    ObjectDN    = $obj.DistinguishedName
                    Owner       = $ownerName
                    OwnerSID    = $ownerSid
                }
            } catch {
                Write-Warning "Failed to read ACL for '$($obj.DistinguishedName)': $($_.Exception.Message)"
                [PSCustomObject]@{
                    Name        = $obj.Name
                    ObjectClass = ($obj.ObjectClass -join ';')
                    ObjectDN    = $obj.DistinguishedName
                    Owner       = $null
                    OwnerSID    = $null
                }
            }
        }
        if ($OutputPath) {
            $results | Export-Csv -Path $OutputPath -NoTypeInformation -Encoding UTF8
            Write-Host "Owner information exported to '$OutputPath'"
        } else {
            return $results
        }
    } catch { Write-Error "Unhandled error: $($_.Exception.Message)"}
}
```

Usage Examples:

**1.** Get all domain objects owners and export to CSV

```powershell
Find-ADObjectOwner
```

**2.** Get owner of a specific AD object and export to CSV

```powershell
Find-ADObjectOwner -Target "CN=Distributed COM Users,CN=Builtin,DC=Forestall,DC=labs"
```

**#.** Using Searchbase to limit the search scope

```powershell
Find-ADObjectOwner -SearchBase "CN=Builtin,DC=Forestall,DC=labs"
```

#### Active Directory Users and Computers (ADUC)

**1.** Open Active Directory Users and Computers on your Windows Server.

**2.** Right-click on the Object name.

**3.** Select Properties from the context menu.

**4.** Go to the Security tab.

**5.** Click Advanced to open Advanced Security Settings.

**6.** The Owner is displayed at the top of the window

## Exploitation

The Owner permission grants full control over an object's DACL. Exploitation consists of modifying ACLs of objects you own, without performing unrelated actions like password resets. Below are example scenarios.

### User

As the **Owner** of a user object, you can always change its DACL and ownership, effectively deciding who may reset the password, modify sensitive attributes like `msDS-KeyCredentialLink` or `servicePrincipalName`, and otherwise control management of the account. References: [ForceChangePassword](https://gitlab.com/forestall/fsprotect-knowledge-base/-/blob/main/edges/ForceChangePassword/README.md), [AddKeyCredentialLink](https://gitlab.com/forestall/fsprotect-knowledge-base/-/blob/main/edges/AddKeyCredentialLink/README.md), [WriteSPN](https://gitlab.com/forestall/fsprotect-knowledge-base/-/blob/main/edges/writeSPN/README.md)

### Group

As the **Owner** of a group, you can alter its DACL and ownership to determine who may add or remove members and change group properties, giving you ultimate authority over how membership and management rights are delegated. References: [AddMember](https://gitlab.com/forestall/fsprotect-knowledge-base/-/blob/main/edges/AddMember/README.md)

### Computer

As the **Owner** of a computer object, you can modify its DACL and ownership to control access to sensitive attributes and identity settings—including LAPS password attributes, key-credential links, SPNs, and delegation-related fields—thereby governing who can manage the machine account. References: [LapsPassword](https://gitlab.com/forestall/fsprotect-knowledge-base/-/blob/main/edges/LAPSPassword/README.md), [AddKeyCredentialLink](https://gitlab.com/forestall/fsprotect-knowledge-base/-/blob/main/edges/AddKeyCredentialLink/README.md), [AddAllowedToAct](https://gitlab.com/forestall/fsprotect-knowledge-base/-/blob/main/edges/AddAllowedToAct/README.md)

### Domain Object

As the **Owner** of the domain head object (root of the Default Naming Context), you can change its DACL and ownership to grant or restrict powerful directory-wide rights, including replication-related permissions, effectively controlling who can read or synchronize directory data at scale. References: [DCSync](https://gitlab.com/forestall/fsprotect-knowledge-base/-/blob/main/edges/DCSync/README.md)

### GPO

As the **Owner** of a GPO, you control its ACLs and thus who may read or edit policy settings in the AD GPC and the corresponding SYSVOL GPT; any changes you authorize will flow to targeted users and computers through standard Group Policy processing. References: [GPOWrite](https://gitlab.com/forestall/fsprotect-knowledge-base/-/blob/main/edges/GPOWrite/README.md)

### Certificate Template

As the **Owner** of a certificate template, you can change its permissions and configuration to decide who may read, enroll, autoenroll, or manage the template; because these settings govern issuance and identity assertions, ownership directly shapes the security boundary of AD CS. References: [WriteOverCertificateTemplate](https://gitlab.com/forestall/fsprotect-knowledge-base/-/blob/main/edges/WriteOverCertificateTemplate/README.md)

### Delegated Managed Service Account

If an attacker has **Owner** permissions over a dMSA object, they can modify the object’s DACL to grant themselves FullControl. With this access, they can update the **PrincipalsAllowedToRetrieveManagedPassword** property to include their own account, allowing them to retrieve the managed service account’s password.

Example:

```powershell
Set-ADServiceAccount -Identity MyAppSvc -PrincipalsAllowedToRetrieveManagedPassword adam
```

Once added, the attacker can read the password. For more abuse details, see the [ReadGMSAPassword](https://gitlab.com/forestall/fsprotect-knowledge-base/-/blob/main/edges/ReadGMSAPassword/README.md) edge.

## Mitigation

With this method, you can check the owner of an object, verify the current owner, and update the owner if needed.

**1.** Open Active Directory Users and Computers (ADUC).

**2.** Enable Advanced Features from the View menu.

**3.** Navigate to the object (user, group, or OU) with dangerous Owner permissions.

**4.** Right-click the object and select Properties.

**5.** Go to the Security tab and click Advanced.

**6.** Check the Owner field at the top. If it is set to an unauthorized user, click Change to set the owner to a controlled group (Such as Domain Admins)

![ADUC](/files/vmew7fGM3wx3sfH6jbpv)

## Detection

Adding new Access Control Entries on the Active Directory objects changes the `ntSecurityDescriptor` attribute of the objects themselves. These changes can be detected with the 5136 and 4662 Event ID's to identify dangerous modifications.

| Event ID | Description                              | Fields/Attributes      | References                                                                                 |
| -------- | ---------------------------------------- | ---------------------- | ------------------------------------------------------------------------------------------ |
| 5136     | A directory service object was modified. | ntSecurityDescriptor   | <https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136> |
| 4662     | An operation was performed on an object. | AccessList, AccessMask | <https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662> |

## References

* [Understanding Active Directory Permissions - Microsoft Press Store](https://www.microsoftpressstore.com/articles/article.aspx?p=2231764\&seqNum=3)
* [Object Owner in Active Directory - Secure Identity](https://secureidentity.se/object-owner/)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.forestall.io/fsprotect/edges/ad/owner.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.