Active Directory: cambiar el propietario de un objeto de forma masiva

A continuación encontrará scripts que le permitirán cambiar masivamente el propietario de diferentes objetos de Active Directory como:

  • Usuarios
  • Grupos
  • Unidad organizativa
  • Computadoras

En una situación «normal», el propietario de los objetos de Active Directory es:

  • Administradores de dominio
  • Directores de la empresa
  • BUILTIN\Administradores
  • AUTORITE NT\Sistema

Cuando un objeto es creado por un usuario que no es miembro de uno de los grupos anteriores mediante delegación o uso del grupo «Operador de cuenta», es el usuario que creó el objeto quien lo posee.

Esta situación puede plantear problemas de seguridad, si sólo tienes unos pocos objetos es posible hacerlo a mano, pero si tienes varias docenas/centenas puede llevar mucho tiempo.

Los scripts se escriben con el nombre en francés de los grupos, debes adaptarlos según el idioma de tu entorno de Active Directory

Puedes encontrar los guiones aquí : PowerShell/Active Directory/Fix Owner Objects · master · RDR-IT / Scripts · GitLab

Si solo desea mostrar los objetos afectados:

Usuarios :

# Get Users Owner
# Sources : 
#   - https://blog.piservices.fr/post/2021/03/29/powershell-who-s-owner-of-my-ad-object
#   - https://blog.piservices.fr/post/2021/04/12/powershell-change-the-owner-of-my-ad-objects
#
#   /!\ You must adapt the name of the groups to the installation language of your domain controller /!\
#
#   Dans le cas d'utilisation de ORADAD de ANSSI, le script permet de corriger le probleme : vuln3_owner
#   https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#owner
#
#
# Create Array
$Array = @()
 
# Collect AD infos
$Domain = Get-ADDomain | select -ExpandProperty NetBIOSName
$AllUsers = Get-ADUser -Filter * -Properties nTSecurityDescriptor
 
# Store Info
$AllUsers | foreach {
    $DistinguishedName = $_.DistinguishedName
    $GivenName = $_.GivenName
    $Name = $_.Name
    $ObjectClass = $_.ObjectClass
    $ObjectGUID = $_.ObjectGUID
    $SamAccountName = $_.SamAccountName
    $SID = $_.SID
    $Surname = $_.Surname
    $UserPrincipalName = $_.UserPrincipalName
    $nTSecurityDescriptor = $_.nTSecurityDescriptor
     
     
    $Array += New-Object psobject -Property @{
        DistinguishedName = $DistinguishedName
        GivenName = $GivenName
        Name = $Name
        Owner = $nTSecurityDescriptor.owner
        ObjectClass = $ObjectClass
        ObjectGUID = $ObjectGUID
        SamAccountName = $SamAccountName
        SID = $SID
        Surname = $Surname
        UserPrincipalName = $UserPrincipalName
        }
     
    $DistinguishedName = $null
    $GivenName = $null
    $Name = $null
    $nTSecurityDescriptor = $null
    $ObjectClass = $null
    $ObjectGUID = $null
    $SamAccountName = $null
    $SID = $null
    $Surname = $null
    $UserPrincipalName = $null
    $CurrentUser = $null
    $nTSecurityDescriptor = $null
}

# How many Accounts were returns ?
Write-Host $Array.Count -ForegroundColor Yellow
 
# How many Accounts need to be reviewed ?
$NoGood = $Array.Where({(($_.Owner -ne "$Domain\Admins du domaine") -and ($_.Owner -ne "$Domain\Enterprise Admins") -and ($_.Owner -ne "BUILTIN\Administrateurs") -and ($_.Owner -ne "AUTORITE NT\Système") )})
Write-Host $NoGood.count -ForegroundColor Cyan

# Print NoGood Users with Owner
# $NoGood | ft Name,Owner

$Filter = $NoGood.Where({$_.Name -notlike "SystemMailbox*"})
$Filter = $Filter.Where({$_.Name -notlike "HealthMailbox*"})

# Print NoGood Users with Owner
$Filter | ft Name,Owner

# For Debug : check difference between normal object and exchange object
#Write-Host $NoGood.count -ForegroundColor Cyan
Write-Host $Filter.count -ForegroundColor Red

Computadoras:

# Get Computer Owner
# Sources : 
#   - https://blog.piservices.fr/post/2021/03/29/powershell-who-s-owner-of-my-ad-object
#   - https://blog.piservices.fr/post/2021/04/12/powershell-change-the-owner-of-my-ad-objects
#
#   /!\ You must adapt the name of the groups to the installation language of your domain controller /!\
#
#   Dans le cas d'utilisation de ORADAD de ANSSI, le script permet de corriger le probleme : vuln3_owner
#   https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#owner
#
#
# Create Array
$Array = @()

# Collect AD infos
$Domain = Get-ADDomain | select -ExpandProperty NetBIOSName
$AllComputers = Get-ADComputer -Filter * -Properties nTSecurityDescriptor
 
# Store Info
$AllComputers | foreach {
    $DistinguishedName = $_.DistinguishedName
    $GroupCategory = $_.GroupCategory
    $GroupScope = $_.GroupScope
    $Name = $_.Name
    $ObjectClass = $_.ObjectClass
    $ObjectGUID = $_.ObjectGUID
    $SamAccountName = $_.SamAccountName
    $SID = $_.SID
    $nTSecurityDescriptor = $_.nTSecurityDescriptor
     
     
    $Array += New-Object psobject -Property @{
        DistinguishedName = $DistinguishedName
        DNSHostName = $DNSHostName
        Enabled = $Enabled
        Name = $Name
        ObjectClass = $ObjectClass
        ObjectGUID = $ObjectGUID
        SamAccountName = $SamAccountName
        SID = $SID
        Owner = $nTSecurityDescriptor.owner
        }
     
    $DistinguishedName = $null
    $DNSHostName = $null
    $Enabled = $null
    $Name = $null
    $ObjectClass = $null
    $ObjectGUID = $null
    $SamAccountName = $null
    $SID = $null
    $nTSecurityDescriptor = $null
    }
 
# How many Accounts were returns ?
Write-Host $Array.Count -ForegroundColor Yellow
 
# How many Accounts need to be reviewed ?
$NoGood = $Array.Where({(($_.Owner -ne "$Domain\Admins du domaine") -and ($_.Owner -ne "$Domain\Enterprise Admins") -and ($_.Owner -ne "BUILTIN\Administrateurs") -and ($_.Owner -ne "AUTORITE NT\Système") )})
Write-Host $NoGood.count -ForegroundColor Cyan
Write-Host $NoGood

Grupos :

# Fix Group Owner
# Sources : 
#   - https://blog.piservices.fr/post/2021/03/29/powershell-who-s-owner-of-my-ad-object
#   - https://blog.piservices.fr/post/2021/04/12/powershell-change-the-owner-of-my-ad-objects
#
#   /!\ You must adapt the name of the groups to the installation language of your domain controller /!\
#
#   Dans le cas d'utilisation de ORADAD de ANSSI, le script permet de corriger le probleme : vuln3_owner
#   https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#owner
#
#

# Create Array
$Array = @()
 
# Collect AD infos
$Domain = Get-ADDomain | select -ExpandProperty NetBIOSName
$AllGroups = Get-ADGroup -Filter * -Properties nTSecurityDescriptor
 
# Store Info
$AllGroups | foreach {
    $DistinguishedName = $_.DistinguishedName
    $GroupCategory = $_.GroupCategory
    $GroupScope = $_.GroupScope
    $Name = $_.Name
    $ObjectClass = $_.ObjectClass
    $ObjectGUID = $_.ObjectGUID
    $SamAccountName = $_.SamAccountName
    $SID = $_.SID
    $nTSecurityDescriptor = $_.nTSecurityDescriptor
     
     
    $Array += New-Object psobject -Property @{
        DistinguishedName = $DistinguishedName
        GroupCategory = $GroupCategory
        GroupScope = $GroupScope
        Name = $Name
        ObjectClass = $ObjectClass
        ObjectGUID = $ObjectGUID
        SamAccountName = $SamAccountName
        SID = $SID
        Owner = $nTSecurityDescriptor.owner
        }
     
    $DistinguishedName = $null
    $DNSHostName = $null
    $Enabled = $null
    $Name = $null
    $ObjectClass = $null
    $ObjectGUID = $null
    $SamAccountName = $null
    $SID = $null
    $nTSecurityDescriptor = $null
}
 
# How many Accounts were returns ?
Write-Host $Array.Count -ForegroundColor Yellow
 
# How many Accounts need to be reviewed ?
$NoGood = $Array.Where({(($_.Owner -ne "$Domain\Admins du domaine") -and ($_.Owner -ne "$Domain\Enterprise Admins") -and ($_.Owner -ne "BUILTIN\Administrateurs") -and ($_.Owner -ne "AUTORITE NT\Système") )})
Write-Host $NoGood.count -ForegroundColor Cyan

# Print NoGood Groups with Owner
$NoGood | ft Name,Owner

Unidad organizativa :

# Get OU Owner
# Sources : 
#   - https://blog.piservices.fr/post/2021/03/29/powershell-who-s-owner-of-my-ad-object
#   - https://blog.piservices.fr/post/2021/04/12/powershell-change-the-owner-of-my-ad-objects
#
#   /!\ You must adapt the name of the groups to the installation language of your domain controller /!\
#
#   Dans le cas d'utilisation de ORADAD de ANSSI, le script permet de corriger le probleme : vuln3_owner
#   https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#owner
#
#
# Create Array
$Array = @()
 
# Collect AD infos
$Domain = Get-ADDomain | select -ExpandProperty NetBIOSName
$AllOU = Get-ADOrganizationalUnit -Filter * -Properties nTSecurityDescriptor
 
# Store Info
$AllOU | foreach {
    $City = $_.City
    $Country = $_.Country
    $DistinguishedName = $_.DistinguishedName
    $ManagedBy = $_.ManagedBy
    $Name = $_.Name
    $nTSecurityDescriptor = $_.nTSecurityDescriptor
     
     
    $Array += New-Object psobject -Property @{
        City = $City
        Country = $Country
        DistinguishedName = $DistinguishedName
        ManagedBy = $ManagedBy
        Name = $Name
        Owner = $nTSecurityDescriptor.owner
        }
     
    $City = $null
    $Country = $null
    $DistinguishedName = $null
    $ManagedBy = $null
    $Name = $null
    $nTSecurityDescriptor = $null
    }
 
# How many Accounts were returns ?
Write-Host $Array.Count -ForegroundColor Yellow
 
# How many Accounts need to be reviewed ?
$NoGood = $Array.Where({(($_.Owner -ne "$Domain\Admins du domaine") -and ($_.Owner -ne "$Domain\Enterprise Admins") -and ($_.Owner -ne "BUILTIN\Administrateurs") -and ($_.Owner -ne "AUTORITE NT\Système") )})
Write-Host $NoGood.count -ForegroundColor Cyan

$NoGood | ft Name,Owner

Fuentes:

Active directoryGuiones
Active DirectoryObjetosSeguridad
Soutenir
LinkedInReddit

📚 Articles similaires

Romain Drouche
Arquitecto de sistemas | MCSE: Infraestructura básica
Experto en infraestructura de TI con más de 15 años de experiencia en el sector. Actualmente, como Gerente de Proyectos de Sistemas y Redes y experto en Seguridad de Sistemas de Información (ISS), utilizo mi experiencia para garantizar la fiabilidad y seguridad de los entornos tecnológicos.

Deja un comentario