- Activate BitLocker with manage-bde, PowerShell, or WMI - Wed, Sep 20 2023
- Join Azure Active Directory with Windows 11 - Tue, Sep 12 2023
- Manage enhanced security mode in Microsoft Edge using Group Policy - Fri, Sep 8 2023
As a best practice, Microsoft recommends revoking the domain join permission from regular users. Instead, it is advised to delegate this task to service accounts whose permissions are tailored to this purpose. By doing so, a known attack vector is eliminated.
If the domain join is delegated to specific accounts after end users have already added numerous computers to the domain, it is recommended that the owner of these computer objects be changed.
This also applies if a domain admin has been used for this purpose until now.
Active Directory Users and Computers
To view the permissions and the owner of a computer object in AD Users and Computers (ADUC), open the properties of the computer object, switch to the Security tab, and click Advanced.
Edit the owner of a computer object in Active Directory with AD Users and Computers
If necessary, you can enter a new owner by clicking the Change link in that section.
In ADUC, you can only edit the permissions of individual objects. If you select multiple objects, the Properties dialog will not display the Security tab.
Display owner with PowerShell
For bulk operations, it is therefore recommended to use PowerShell. If you first want to get an overview of multiple objects' ownership, there are several options available.
One approach is to generate a list of computer names and owners by expanding the nTSecurityDescriptor attribute using Select-Object:
Get-ADComputer -Filter * -properties ntSecurityDescriptor -PipelineVariable p |
select -ExpandProperty ntSecurityDescriptor |
select @{n="Computer";e={ $p.name }}, @{n="Owner";e={ $_.owner }}
Display all domain computers and their owners with PowerShell
Alternatively, you can use Get-ACL to retrieve the owner for each computer individually. When outputting the results using Format-List, you can use Trimstart() to remove the leading "CN=" from PSChildName:
Get-ADComputer -Filter * |
foreach{Get-Acl -Path "AD:$($_.DistinguishedName)"} |
Format-List @{n="Name";e={$_.PSChildName.Trimstart("CN=")}}, @{n="Owner";e={$_.owner}}
This variant has the advantage of generating the necessary ACL objects, which are required if you want to change the owner. The following script accomplishes this task:
$user = new-object system.security.principal.ntaccount("contoso\djoin")
Get-ADComputer -filter 'name -like "win11*"' |
foreach{
$acl = Get-Acl -Path "AD:$($_.DistinguishedName)"
$acl.SetOwner($user)
Set-Acl -Path "AD:$($_.DistinguishedName)" $acl
}
In this example, all computers whose names begin with "Win11" are assigned contoso\djoin as the new owner.
Assign a new owner to computer objects with Set Acl
It is worth mentioning that to use the SetOwner method, you need to provide a system.security.principal.ntaccount object. However, Get-ADuser returns objects of the type Microsoft.ActiveDirectory.Management.ADUser. If you want to retrieve the principal using this cmdlet, then you need to call it as follows:
$user = New-Object System.Security.Principal.SecurityIdentifier (Get-ADUser -Identity "myuser")
Summary
For security reasons, it is not recommended to let users join PCs to an AD domain. However, if you have allowed this in the past, it is advisable to assign new owners to the computer objects.
Subscribe to 4sysops newsletter!
If you want to change the owner of individual computer objects, you can use AD users and computers. However, if you need to modify multiple objects by reading them from AD using filters, PowerShell is the preferred method. You can use the Set-Acl cmdlet to set the new owner.
Wolfgang,
Great article as always. It may be beneficial to outline a method to determine which user accounts in your AD have the ability to join a computer to the domain. This would help address any security concerns. Is there a PowerShell script you can provide that identifies those accounts?
I think it is really close to the commands Wolfgang pointed out….
$acl = Get-ADUser -Identity “MyUser” | Get-Acl -Path “AD:$($_.DistinguishedName)”
$acc = $acl.Access
Either
$acc | Select-Object identityreference, accesscontroltype
or
$acc | Format-List *
should tell you what fields you need.
Thanks, Can you provide a script to assign new owners (group ex admins domain) to computer objects.
Hi Wofgang
Nice commands.
And ideas of powershell shell object tricks.
It is nice that after many long years microsoft finally caught the ideas
of unix shells like korn despite unix shells side no notion of objects.
The “-PipelineVariable p” an example of kind of tee in pipes, perfect.
Looks like you have a lot of posts.
I will take a look.
I had an issue where the Owner of the WWA group was a Disabled user. The system alerted for auth failures and that was the only problem I found. There’s no information on the web about a situation like this, though ChatGPT states it could be the cause. It would be great if 4SysOps could do a series on these sub-system accounts.
Hi Wolfgang,
setting new owners for those computer accounts is fine, but the former owner’s ExtendedRights on that object still remain even if the owner is changed afterwards.
This should be considered as well.
Kind regards,
Ben