Active Directory: modifica in blocco del proprietario dell’oggetto

Di seguito troverai degli script che ti consentiranno di modificare in massa il proprietario di diversi oggetti di Active Directory, ad esempio:

  • Utenti
  • Gruppi
  • Unità organizzativa
  • Computer

In una situazione “normale”, il proprietario degli oggetti Active Directory è:

  • Amministratori di dominio
  • Direttori d’azienda
  • BUILTIN\Amministratori
  • AUTORITE NT\Sistema

Quando un oggetto viene creato da un utente che non è membro di uno dei gruppi sopra indicati tramite delega o tramite l’uso del gruppo “Operatore account”, il proprietario è l’utente che ha creato l’oggetto.

Questa situazione può comportare problemi di sicurezza: se si hanno solo pochi oggetti è possibile farlo a mano, ma se si hanno diverse decine/centinaia di oggetti potrebbe richiedere molto tempo.

I nomi dei gruppi sono in francese, è necessario adattare gli script alla lingua del proprio ambiente Active Directory

Puoi trovare gli script qui : PowerShell/Active Directory/Fix Owner Objects · master · RDR-IT / Scripts · GitLab

Se si desidera visualizzare solo gli oggetti interessati:

Utenti:

# Get Users Owner
# Sources : 
#   - https://blog.piservices.fr/post/2021/03/29/powershell-who-s-owner-of-my-ad-object
#   - https://blog.piservices.fr/post/2021/04/12/powershell-change-the-owner-of-my-ad-objects
#
#   /!\ You must adapt the name of the groups to the installation language of your domain controller /!\
#
#   Dans le cas d'utilisation de ORADAD de ANSSI, le script permet de corriger le probleme : vuln3_owner
#   https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#owner
#
#
# Create Array
$Array = @()
 
# Collect AD infos
$Domain = Get-ADDomain | select -ExpandProperty NetBIOSName
$AllUsers = Get-ADUser -Filter * -Properties nTSecurityDescriptor
 
# Store Info
$AllUsers | foreach {
    $DistinguishedName = $_.DistinguishedName
    $GivenName = $_.GivenName
    $Name = $_.Name
    $ObjectClass = $_.ObjectClass
    $ObjectGUID = $_.ObjectGUID
    $SamAccountName = $_.SamAccountName
    $SID = $_.SID
    $Surname = $_.Surname
    $UserPrincipalName = $_.UserPrincipalName
    $nTSecurityDescriptor = $_.nTSecurityDescriptor
     
     
    $Array += New-Object psobject -Property @{
        DistinguishedName = $DistinguishedName
        GivenName = $GivenName
        Name = $Name
        Owner = $nTSecurityDescriptor.owner
        ObjectClass = $ObjectClass
        ObjectGUID = $ObjectGUID
        SamAccountName = $SamAccountName
        SID = $SID
        Surname = $Surname
        UserPrincipalName = $UserPrincipalName
        }
     
    $DistinguishedName = $null
    $GivenName = $null
    $Name = $null
    $nTSecurityDescriptor = $null
    $ObjectClass = $null
    $ObjectGUID = $null
    $SamAccountName = $null
    $SID = $null
    $Surname = $null
    $UserPrincipalName = $null
    $CurrentUser = $null
    $nTSecurityDescriptor = $null
}

# How many Accounts were returns ?
Write-Host $Array.Count -ForegroundColor Yellow
 
# How many Accounts need to be reviewed ?
$NoGood = $Array.Where({(($_.Owner -ne "$Domain\Admins du domaine") -and ($_.Owner -ne "$Domain\Enterprise Admins") -and ($_.Owner -ne "BUILTIN\Administrateurs") -and ($_.Owner -ne "AUTORITE NT\Système") )})
Write-Host $NoGood.count -ForegroundColor Cyan

# Print NoGood Users with Owner
# $NoGood | ft Name,Owner

$Filter = $NoGood.Where({$_.Name -notlike "SystemMailbox*"})
$Filter = $Filter.Where({$_.Name -notlike "HealthMailbox*"})

# Print NoGood Users with Owner
$Filter | ft Name,Owner

# For Debug : check difference between normal object and exchange object
#Write-Host $NoGood.count -ForegroundColor Cyan
Write-Host $Filter.count -ForegroundColor Red

Computer:

# Get Computer Owner
# Sources : 
#   - https://blog.piservices.fr/post/2021/03/29/powershell-who-s-owner-of-my-ad-object
#   - https://blog.piservices.fr/post/2021/04/12/powershell-change-the-owner-of-my-ad-objects
#
#   /!\ You must adapt the name of the groups to the installation language of your domain controller /!\
#
#   Dans le cas d'utilisation de ORADAD de ANSSI, le script permet de corriger le probleme : vuln3_owner
#   https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#owner
#
#
# Create Array
$Array = @()

# Collect AD infos
$Domain = Get-ADDomain | select -ExpandProperty NetBIOSName
$AllComputers = Get-ADComputer -Filter * -Properties nTSecurityDescriptor
 
# Store Info
$AllComputers | foreach {
    $DistinguishedName = $_.DistinguishedName
    $GroupCategory = $_.GroupCategory
    $GroupScope = $_.GroupScope
    $Name = $_.Name
    $ObjectClass = $_.ObjectClass
    $ObjectGUID = $_.ObjectGUID
    $SamAccountName = $_.SamAccountName
    $SID = $_.SID
    $nTSecurityDescriptor = $_.nTSecurityDescriptor
     
     
    $Array += New-Object psobject -Property @{
        DistinguishedName = $DistinguishedName
        DNSHostName = $DNSHostName
        Enabled = $Enabled
        Name = $Name
        ObjectClass = $ObjectClass
        ObjectGUID = $ObjectGUID
        SamAccountName = $SamAccountName
        SID = $SID
        Owner = $nTSecurityDescriptor.owner
        }
     
    $DistinguishedName = $null
    $DNSHostName = $null
    $Enabled = $null
    $Name = $null
    $ObjectClass = $null
    $ObjectGUID = $null
    $SamAccountName = $null
    $SID = $null
    $nTSecurityDescriptor = $null
    }
 
# How many Accounts were returns ?
Write-Host $Array.Count -ForegroundColor Yellow
 
# How many Accounts need to be reviewed ?
$NoGood = $Array.Where({(($_.Owner -ne "$Domain\Admins du domaine") -and ($_.Owner -ne "$Domain\Enterprise Admins") -and ($_.Owner -ne "BUILTIN\Administrateurs") -and ($_.Owner -ne "AUTORITE NT\Système") )})
Write-Host $NoGood.count -ForegroundColor Cyan
Write-Host $NoGood

Gruppi:

# Fix Group Owner
# Sources : 
#   - https://blog.piservices.fr/post/2021/03/29/powershell-who-s-owner-of-my-ad-object
#   - https://blog.piservices.fr/post/2021/04/12/powershell-change-the-owner-of-my-ad-objects
#
#   /!\ You must adapt the name of the groups to the installation language of your domain controller /!\
#
#   Dans le cas d'utilisation de ORADAD de ANSSI, le script permet de corriger le probleme : vuln3_owner
#   https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#owner
#
#

# Create Array
$Array = @()
 
# Collect AD infos
$Domain = Get-ADDomain | select -ExpandProperty NetBIOSName
$AllGroups = Get-ADGroup -Filter * -Properties nTSecurityDescriptor
 
# Store Info
$AllGroups | foreach {
    $DistinguishedName = $_.DistinguishedName
    $GroupCategory = $_.GroupCategory
    $GroupScope = $_.GroupScope
    $Name = $_.Name
    $ObjectClass = $_.ObjectClass
    $ObjectGUID = $_.ObjectGUID
    $SamAccountName = $_.SamAccountName
    $SID = $_.SID
    $nTSecurityDescriptor = $_.nTSecurityDescriptor
     
     
    $Array += New-Object psobject -Property @{
        DistinguishedName = $DistinguishedName
        GroupCategory = $GroupCategory
        GroupScope = $GroupScope
        Name = $Name
        ObjectClass = $ObjectClass
        ObjectGUID = $ObjectGUID
        SamAccountName = $SamAccountName
        SID = $SID
        Owner = $nTSecurityDescriptor.owner
        }
     
    $DistinguishedName = $null
    $DNSHostName = $null
    $Enabled = $null
    $Name = $null
    $ObjectClass = $null
    $ObjectGUID = $null
    $SamAccountName = $null
    $SID = $null
    $nTSecurityDescriptor = $null
}
 
# How many Accounts were returns ?
Write-Host $Array.Count -ForegroundColor Yellow
 
# How many Accounts need to be reviewed ?
$NoGood = $Array.Where({(($_.Owner -ne "$Domain\Admins du domaine") -and ($_.Owner -ne "$Domain\Enterprise Admins") -and ($_.Owner -ne "BUILTIN\Administrateurs") -and ($_.Owner -ne "AUTORITE NT\Système") )})
Write-Host $NoGood.count -ForegroundColor Cyan

# Print NoGood Groups with Owner
$NoGood | ft Name,Owner

Unità organizzativa:

# Get OU Owner
# Sources : 
#   - https://blog.piservices.fr/post/2021/03/29/powershell-who-s-owner-of-my-ad-object
#   - https://blog.piservices.fr/post/2021/04/12/powershell-change-the-owner-of-my-ad-objects
#
#   /!\ You must adapt the name of the groups to the installation language of your domain controller /!\
#
#   Dans le cas d'utilisation de ORADAD de ANSSI, le script permet de corriger le probleme : vuln3_owner
#   https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#owner
#
#
# Create Array
$Array = @()
 
# Collect AD infos
$Domain = Get-ADDomain | select -ExpandProperty NetBIOSName
$AllOU = Get-ADOrganizationalUnit -Filter * -Properties nTSecurityDescriptor
 
# Store Info
$AllOU | foreach {
    $City = $_.City
    $Country = $_.Country
    $DistinguishedName = $_.DistinguishedName
    $ManagedBy = $_.ManagedBy
    $Name = $_.Name
    $nTSecurityDescriptor = $_.nTSecurityDescriptor
     
     
    $Array += New-Object psobject -Property @{
        City = $City
        Country = $Country
        DistinguishedName = $DistinguishedName
        ManagedBy = $ManagedBy
        Name = $Name
        Owner = $nTSecurityDescriptor.owner
        }
     
    $City = $null
    $Country = $null
    $DistinguishedName = $null
    $ManagedBy = $null
    $Name = $null
    $nTSecurityDescriptor = $null
    }
 
# How many Accounts were returns ?
Write-Host $Array.Count -ForegroundColor Yellow
 
# How many Accounts need to be reviewed ?
$NoGood = $Array.Where({(($_.Owner -ne "$Domain\Admins du domaine") -and ($_.Owner -ne "$Domain\Enterprise Admins") -and ($_.Owner -ne "BUILTIN\Administrateurs") -and ($_.Owner -ne "AUTORITE NT\Système") )})
Write-Host $NoGood.count -ForegroundColor Cyan

$NoGood | ft Name,Owner

Fonti:

Active DirectoryScript
Active DirectoryOggettiSicurezza
Soutenir
LinkedInReddit

📚 Articles similaires

Romain Drouche
Architetto di sistema | MCSE: Infrastruttura di base
Esperto di infrastrutture IT con oltre 15 anni di esperienza sul campo. Attualmente Project Manager Sistemi e Reti ed esperto di Sicurezza dei Sistemi Informativi, utilizzo la mia competenza per garantire l'affidabilità e la sicurezza degli ambienti tecnologici.

Lascia un commento