The Owner permission in Active Directory identifies who owns an object, such as a user account, group, or organizational unit. Ownership is critical because it grants implicit rights to modify the object's permissions and Access Control Lists (ACLs), enabling administrators to delegate control and manage security effectively. Technically, the Owner permission effectively provides GenericAll + WriteDACL access, giving full control over the object’s security settings.
However, if misconfigured, the Owner permission can introduce significant security vulnerabilities. An attacker who becomes the Owner of an object can modify its permissions to grant themselves elevated rights like Full Control. This allows them to alter or delete the object, change group memberships, reset passwords, and manipulate user accounts. Exploiting this vulnerability can lead to unauthorized access, privilege escalation, and persistent control over critical directory objects, potentially compromising the entire Active Directory environment.
Identification
PowerShell
Active Directory Module
Using the ActiveDirectory PowerShell module, you can view the Owner of a given AD object.
Function: Get-ADObjectOwner
functionFind-ADObjectOwner{[CmdletBinding()]param([string]$Target,[string]$SearchBase,[string]$OutputPath="ADObjectOwner.csv")Import-Module ActiveDirectory -ErrorAction Stoptry{$baseDN=if($SearchBase){$SearchBase}else{(Get-ADRootDSE).defaultNamingContext }if($Target){try{$objects=@(Get-ADObject-Identity $Target-Properties name,objectClass,distinguishedName )}catch{Write-Error"Target '$Target' not found or inaccessible: $($_.Exception.Message)"return}}else{Write-Host("Enumerating objects under '{0}'..."-f$baseDN)$objects=Get-ADObject-SearchBase $baseDN-LDAPFilter "(objectClass=*)"-ResultSetSize $null-Properties name,objectClass,distinguishedName}if(-not$objects){Write-Output"No objects found."return}$i=0$total=$objects.Count$results=foreach($objin$objects){$i++if($total-gt1){Write-Progress-Activity "Reading owners"-Status "$i / $total : $($obj.DistinguishedName)"-PercentComplete (($i/$total)*100)}try{$acl=Get-Acl"AD:$($obj.DistinguishedName)"$ownerRaw=$acl.Owner$ownerName=$null$ownerSid=$nulltry{if($ownerRaw-match'^S-1-'){$sid=New-Object System.Security.Principal.SecurityIdentifier($ownerRaw)$ownerSid=$sid.Value$ownerName=($sid.Translate([System.Security.Principal.NTAccount])).Value}else{$ownerName=$ownerRaw$nt=New-Object System.Security.Principal.NTAccount($ownerRaw)$ownerSid=($nt.Translate([System.Security.Principal.SecurityIdentifier])).Value}}catch{$ownerName=$ownerRaw$ownerSid=$ownerRaw}[PSCustomObject]@{Name=$obj.NameObjectClass=($obj.ObjectClass-join';')ObjectDN=$obj.DistinguishedNameOwner=$ownerNameOwnerSID=$ownerSid}}catch{Write-Warning"Failed to read ACL for '$($obj.DistinguishedName)': $($_.Exception.Message)"[PSCustomObject]@{Name=$obj.NameObjectClass=($obj.ObjectClass-join';')ObjectDN=$obj.DistinguishedNameOwner=$nullOwnerSID=$null}}}if($OutputPath){$results|Export-Csv-Path $OutputPath-NoTypeInformation -Encoding UTF8Write-Host"Owner information exported to '$OutputPath'"}else{return$results}}catch{Write-Error"Unhandled error: $($_.Exception.Message)"}}
Usage Examples:
1. Get all domain objects owners and export to CSV
2. Get owner of a specific AD object and export to CSV
#. Using Searchbase to limit the search scope
Active Directory Users and Computers (ADUC)
1. Open Active Directory Users and Computers on your Windows Server.
2. Right-click on the Object name.
3. Select Properties from the context menu.
4. Go to the Security tab.
5. Click Advanced to open Advanced Security Settings.
6. The Owner is displayed at the top of the window
Exploitation
The Owner permission grants full control over an object's DACL. Exploitation consists of modifying ACLs of objects you own, without performing unrelated actions like password resets. Below are example scenarios.
User
As the Owner of a user object, you can always change its DACL and ownership, effectively deciding who may reset the password, modify sensitive attributes like msDS-KeyCredentialLink or servicePrincipalName, and otherwise control management of the account. References: ForceChangePassword, AddKeyCredentialLink, WriteSPN
Group
As the Owner of a group, you can alter its DACL and ownership to determine who may add or remove members and change group properties, giving you ultimate authority over how membership and management rights are delegated. References: AddMember
Computer
As the Owner of a computer object, you can modify its DACL and ownership to control access to sensitive attributes and identity settings including LAPS password attributes, key-credential links, SPNs, and delegation-related fields thereby governing who can manage the machine account. References: LapsPassword, AddKeyCredentialLink, AddAllowedToAct
Domain Object
As the Owner of the domain head object (root of the Default Naming Context), you can change its DACL and ownership to grant or restrict powerful directory-wide rights, including replication-related permissions, effectively controlling who can read or synchronize directory data at scale. References: DCSync
GPO
As the Owner of a GPO, you control its ACLs and thus who may read or edit policy settings in the AD GPC and the corresponding SYSVOL GPT; any changes you authorize will flow to targeted users and computers through standard Group Policy processing. References: GPOWrite
Certificate Template
As the Owner of a certificate template, you can change its permissions and configuration to decide who may read, enroll, autoenroll, or manage the template; because these settings govern issuance and identity assertions, ownership directly shapes the security boundary of AD CS. References: WriteOverCertificateTemplate.
Delegated Managed Service Account
If an attacker has Owner permissions over a dMSA object, they can modify the object’s DACL to grant themselves FullControl. With this access, they can update the PrincipalsAllowedToRetrieveManagedPassword property to include their own account, allowing them to retrieve the managed service account’s password.
Example:
Once added, the attacker can read the password. For more abuse details, see the ReadGMSAPassword edge.
Mitigation
With this method, you can check the owner of an object, verify the current owner, and update the owner if needed.
1. Open Active Directory Users and Computers (ADUC).
2. Enable Advanced Features from the View menu.
3. Navigate to the object (user, group, or OU) with dangerous Owner permissions.
4. Right-click the object and select Properties.
5. Go to the Security tab and click Advanced.
6. Check the Owner field at the top. If it is set to an unauthorized user, click Change to set the owner to a controlled group (Such as Domain Admins)
Detection
Adding new Access Control Entries on the Active Directory objects changes the ntSecurityDescriptor attribute of the objects themselves. These changes can be detected with the 5136 and 4662 Event ID's to identify dangerous modifications.
