Active Directory: Objektbesitzer in Massen ändern

Nachfolgend finden Sie Skripte, mit denen Sie den Besitzer verschiedener Active Directory-Objekte massenweise ändern können, beispielsweise:

  • Benutzer
  • Gruppen
  • Organisationseinheit
  • Computer

In einer „normalen“ Situation ist der Besitzer von Active Directory-Objekten:

  • Domänenadministratoren
  • Unternehmensadministratoren
  • BUILTIN\Administratoren
  • AUTORITE NT\System

Wenn ein Objekt durch Delegierung oder Verwendung der Gruppe „Kontooperator“ von einem Benutzer erstellt wird, der kein Mitglied einer der oben genannten Gruppen ist, ist der Benutzer, der das Objekt erstellt hat, auch dessen Eigentümer.

Diese Situation kann Sicherheitsprobleme aufwerfen. Wenn Sie nur wenige Objekte haben, ist es möglich, dies manuell zu tun, aber wenn Sie mehrere Dutzend/Hunderte haben, kann es sehr viel Zeit in Anspruch nehmen.

Die Skripte werden mit dem französischen Namen der Gruppen geschrieben, Sie müssen sie entsprechend der Sprache Ihrer Active Directory-Umgebung anpassen

Die Skripte finden Sie hier : PowerShell/Active Directory/Fix Owner Objects · master · RDR-IT / Scripts · GitLab

Wenn Sie nur die betroffenen Objekte anzeigen möchten:

Benutzer :

# Get Users Owner
# Sources : 
#   - https://blog.piservices.fr/post/2021/03/29/powershell-who-s-owner-of-my-ad-object
#   - https://blog.piservices.fr/post/2021/04/12/powershell-change-the-owner-of-my-ad-objects
#
#   /!\ You must adapt the name of the groups to the installation language of your domain controller /!\
#
#   Dans le cas d'utilisation de ORADAD de ANSSI, le script permet de corriger le probleme : vuln3_owner
#   https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#owner
#
#
# Create Array
$Array = @()
 
# Collect AD infos
$Domain = Get-ADDomain | select -ExpandProperty NetBIOSName
$AllUsers = Get-ADUser -Filter * -Properties nTSecurityDescriptor
 
# Store Info
$AllUsers | foreach {
    $DistinguishedName = $_.DistinguishedName
    $GivenName = $_.GivenName
    $Name = $_.Name
    $ObjectClass = $_.ObjectClass
    $ObjectGUID = $_.ObjectGUID
    $SamAccountName = $_.SamAccountName
    $SID = $_.SID
    $Surname = $_.Surname
    $UserPrincipalName = $_.UserPrincipalName
    $nTSecurityDescriptor = $_.nTSecurityDescriptor
     
     
    $Array += New-Object psobject -Property @{
        DistinguishedName = $DistinguishedName
        GivenName = $GivenName
        Name = $Name
        Owner = $nTSecurityDescriptor.owner
        ObjectClass = $ObjectClass
        ObjectGUID = $ObjectGUID
        SamAccountName = $SamAccountName
        SID = $SID
        Surname = $Surname
        UserPrincipalName = $UserPrincipalName
        }
     
    $DistinguishedName = $null
    $GivenName = $null
    $Name = $null
    $nTSecurityDescriptor = $null
    $ObjectClass = $null
    $ObjectGUID = $null
    $SamAccountName = $null
    $SID = $null
    $Surname = $null
    $UserPrincipalName = $null
    $CurrentUser = $null
    $nTSecurityDescriptor = $null
}

# How many Accounts were returns ?
Write-Host $Array.Count -ForegroundColor Yellow
 
# How many Accounts need to be reviewed ?
$NoGood = $Array.Where({(($_.Owner -ne "$Domain\Admins du domaine") -and ($_.Owner -ne "$Domain\Enterprise Admins") -and ($_.Owner -ne "BUILTIN\Administrateurs") -and ($_.Owner -ne "AUTORITE NT\Système") )})
Write-Host $NoGood.count -ForegroundColor Cyan

# Print NoGood Users with Owner
# $NoGood | ft Name,Owner

$Filter = $NoGood.Where({$_.Name -notlike "SystemMailbox*"})
$Filter = $Filter.Where({$_.Name -notlike "HealthMailbox*"})

# Print NoGood Users with Owner
$Filter | ft Name,Owner

# For Debug : check difference between normal object and exchange object
#Write-Host $NoGood.count -ForegroundColor Cyan
Write-Host $Filter.count -ForegroundColor Red

Computer :

# Get Computer Owner
# Sources : 
#   - https://blog.piservices.fr/post/2021/03/29/powershell-who-s-owner-of-my-ad-object
#   - https://blog.piservices.fr/post/2021/04/12/powershell-change-the-owner-of-my-ad-objects
#
#   /!\ You must adapt the name of the groups to the installation language of your domain controller /!\
#
#   Dans le cas d'utilisation de ORADAD de ANSSI, le script permet de corriger le probleme : vuln3_owner
#   https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#owner
#
#
# Create Array
$Array = @()

# Collect AD infos
$Domain = Get-ADDomain | select -ExpandProperty NetBIOSName
$AllComputers = Get-ADComputer -Filter * -Properties nTSecurityDescriptor
 
# Store Info
$AllComputers | foreach {
    $DistinguishedName = $_.DistinguishedName
    $GroupCategory = $_.GroupCategory
    $GroupScope = $_.GroupScope
    $Name = $_.Name
    $ObjectClass = $_.ObjectClass
    $ObjectGUID = $_.ObjectGUID
    $SamAccountName = $_.SamAccountName
    $SID = $_.SID
    $nTSecurityDescriptor = $_.nTSecurityDescriptor
     
     
    $Array += New-Object psobject -Property @{
        DistinguishedName = $DistinguishedName
        DNSHostName = $DNSHostName
        Enabled = $Enabled
        Name = $Name
        ObjectClass = $ObjectClass
        ObjectGUID = $ObjectGUID
        SamAccountName = $SamAccountName
        SID = $SID
        Owner = $nTSecurityDescriptor.owner
        }
     
    $DistinguishedName = $null
    $DNSHostName = $null
    $Enabled = $null
    $Name = $null
    $ObjectClass = $null
    $ObjectGUID = $null
    $SamAccountName = $null
    $SID = $null
    $nTSecurityDescriptor = $null
    }
 
# How many Accounts were returns ?
Write-Host $Array.Count -ForegroundColor Yellow
 
# How many Accounts need to be reviewed ?
$NoGood = $Array.Where({(($_.Owner -ne "$Domain\Admins du domaine") -and ($_.Owner -ne "$Domain\Enterprise Admins") -and ($_.Owner -ne "BUILTIN\Administrateurs") -and ($_.Owner -ne "AUTORITE NT\Système") )})
Write-Host $NoGood.count -ForegroundColor Cyan
Write-Host $NoGood

Gruppen :

# Fix Group Owner
# Sources : 
#   - https://blog.piservices.fr/post/2021/03/29/powershell-who-s-owner-of-my-ad-object
#   - https://blog.piservices.fr/post/2021/04/12/powershell-change-the-owner-of-my-ad-objects
#
#   /!\ You must adapt the name of the groups to the installation language of your domain controller /!\
#
#   Dans le cas d'utilisation de ORADAD de ANSSI, le script permet de corriger le probleme : vuln3_owner
#   https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#owner
#
#

# Create Array
$Array = @()
 
# Collect AD infos
$Domain = Get-ADDomain | select -ExpandProperty NetBIOSName
$AllGroups = Get-ADGroup -Filter * -Properties nTSecurityDescriptor
 
# Store Info
$AllGroups | foreach {
    $DistinguishedName = $_.DistinguishedName
    $GroupCategory = $_.GroupCategory
    $GroupScope = $_.GroupScope
    $Name = $_.Name
    $ObjectClass = $_.ObjectClass
    $ObjectGUID = $_.ObjectGUID
    $SamAccountName = $_.SamAccountName
    $SID = $_.SID
    $nTSecurityDescriptor = $_.nTSecurityDescriptor
     
     
    $Array += New-Object psobject -Property @{
        DistinguishedName = $DistinguishedName
        GroupCategory = $GroupCategory
        GroupScope = $GroupScope
        Name = $Name
        ObjectClass = $ObjectClass
        ObjectGUID = $ObjectGUID
        SamAccountName = $SamAccountName
        SID = $SID
        Owner = $nTSecurityDescriptor.owner
        }
     
    $DistinguishedName = $null
    $DNSHostName = $null
    $Enabled = $null
    $Name = $null
    $ObjectClass = $null
    $ObjectGUID = $null
    $SamAccountName = $null
    $SID = $null
    $nTSecurityDescriptor = $null
}
 
# How many Accounts were returns ?
Write-Host $Array.Count -ForegroundColor Yellow
 
# How many Accounts need to be reviewed ?
$NoGood = $Array.Where({(($_.Owner -ne "$Domain\Admins du domaine") -and ($_.Owner -ne "$Domain\Enterprise Admins") -and ($_.Owner -ne "BUILTIN\Administrateurs") -and ($_.Owner -ne "AUTORITE NT\Système") )})
Write-Host $NoGood.count -ForegroundColor Cyan

# Print NoGood Groups with Owner
$NoGood | ft Name,Owner

Organisationseinheit :

# Get OU Owner
# Sources : 
#   - https://blog.piservices.fr/post/2021/03/29/powershell-who-s-owner-of-my-ad-object
#   - https://blog.piservices.fr/post/2021/04/12/powershell-change-the-owner-of-my-ad-objects
#
#   /!\ You must adapt the name of the groups to the installation language of your domain controller /!\
#
#   Dans le cas d'utilisation de ORADAD de ANSSI, le script permet de corriger le probleme : vuln3_owner
#   https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#owner
#
#
# Create Array
$Array = @()
 
# Collect AD infos
$Domain = Get-ADDomain | select -ExpandProperty NetBIOSName
$AllOU = Get-ADOrganizationalUnit -Filter * -Properties nTSecurityDescriptor
 
# Store Info
$AllOU | foreach {
    $City = $_.City
    $Country = $_.Country
    $DistinguishedName = $_.DistinguishedName
    $ManagedBy = $_.ManagedBy
    $Name = $_.Name
    $nTSecurityDescriptor = $_.nTSecurityDescriptor
     
     
    $Array += New-Object psobject -Property @{
        City = $City
        Country = $Country
        DistinguishedName = $DistinguishedName
        ManagedBy = $ManagedBy
        Name = $Name
        Owner = $nTSecurityDescriptor.owner
        }
     
    $City = $null
    $Country = $null
    $DistinguishedName = $null
    $ManagedBy = $null
    $Name = $null
    $nTSecurityDescriptor = $null
    }
 
# How many Accounts were returns ?
Write-Host $Array.Count -ForegroundColor Yellow
 
# How many Accounts need to be reviewed ?
$NoGood = $Array.Where({(($_.Owner -ne "$Domain\Admins du domaine") -and ($_.Owner -ne "$Domain\Enterprise Admins") -and ($_.Owner -ne "BUILTIN\Administrateurs") -and ($_.Owner -ne "AUTORITE NT\Système") )})
Write-Host $NoGood.count -ForegroundColor Cyan

$NoGood | ft Name,Owner

Quellen :

Active DirectorySkripte
Active DirectoryObjekteSicherheit
Soutenir
LinkedInReddit

📚 Articles similaires

Romain Drouche
Systemarchitekt | MCSE: Kerninfrastruktur
IT-Infrastrukturexperte mit über 15 Jahren Berufserfahrung. Aktuell tätig als Projektmanager für Systeme und Netzwerke sowie als Experte für Informationssystemsicherheit, nutze ich mein Fachwissen, um die Zuverlässigkeit und Sicherheit technologischer Umgebungen zu gewährleisten.

Schreibe einen Kommentar