When a user joins a computer to an AD domain, they automatically become the owner of the corresponding AD object. This is why standard users should not have the domain join permission. If they still own computer objects, it is recommended for security reasons to replace them with a service account.

As a best practice, Microsoft recommends revoking the domain join permission from regular users. Instead, it is advised to delegate this task to service accounts whose permissions are tailored to this purpose. By doing so, a known attack vector is eliminated.

If the domain join is delegated to specific accounts after end users have already added numerous computers to the domain, it is recommended that the owner of these computer objects be changed.

This also applies if a domain admin has been used for this purpose until now.

Active Directory Users and Computers

To view the permissions and the owner of a computer object in AD Users and Computers (ADUC), open the properties of the computer object, switch to the Security tab, and click Advanced.

Edit the owner of a computer object in Active Directory with AD Users and Computers

Edit the owner of a computer object in Active Directory with AD Users and Computers

If necessary, you can enter a new owner by clicking the Change link in that section.

In ADUC, you can only edit the permissions of individual objects. If you select multiple objects, the Properties dialog will not display the Security tab.

Display owner with PowerShell

For bulk operations, it is therefore recommended to use PowerShell. If you first want to get an overview of multiple objects' ownership, there are several options available.

One approach is to generate a list of computer names and owners by expanding the nTSecurityDescriptor attribute using Select-Object:

Get-ADComputer -Filter * -properties ntSecurityDescriptor -PipelineVariable p | 
select -ExpandProperty ntSecurityDescriptor |
select @{n="Computer";e={ $p.name }}, @{n="Owner";e={ $_.owner }}
Display all domain computers and their owners with PowerShell

Display all domain computers and their owners with PowerShell

Alternatively, you can use Get-ACL to retrieve the owner for each computer individually. When outputting the results using Format-List, you can use Trimstart() to remove the leading "CN=" from PSChildName:

Get-ADComputer -Filter * |
foreach{Get-Acl -Path "AD:$($_.DistinguishedName)"} |
Format-List @{n="Name";e={$_.PSChildName.Trimstart("CN=")}}, @{n="Owner";e={$_.owner}}

This variant has the advantage of generating the necessary ACL objects, which are required if you want to change the owner. The following script accomplishes this task:

$user = new-object system.security.principal.ntaccount("contoso\djoin")
Get-ADComputer -filter 'name -like "win11*"' |
    $acl = Get-Acl -Path "AD:$($_.DistinguishedName)"
    Set-Acl -Path "AD:$($_.DistinguishedName)" $acl

In this example, all computers whose names begin with "Win11" are assigned contoso\djoin as the new owner.

Assign a new owner to computer objects with Set Acl

Assign a new owner to computer objects with Set Acl

It is worth mentioning that to use the SetOwner method, you need to provide a system.security.principal.ntaccount object. However, Get-ADuser returns objects of the type Microsoft.ActiveDirectory.Management.ADUser. If you want to retrieve the principal using this cmdlet, then you need to call it as follows:

$user = New-Object System.Security.Principal.SecurityIdentifier (Get-ADUser -Identity "myuser")


For security reasons, it is not recommended to let users join PCs to an AD domain. However, if you have allowed this in the past, it is advisable to assign new owners to the computer objects.

Subscribe to 4sysops newsletter!

If you want to change the owner of individual computer objects, you can use AD users and computers. However, if you need to modify multiple objects by reading them from AD using filters, PowerShell is the preferred method. You can use the Set-Acl cmdlet to set the new owner.

  1. Rory Schmitz 3 months ago


    Great article as always. It may be beneficial to outline a method to determine which user accounts in your AD have the ability to join a computer to the domain. This would help address any security concerns. Is there a PowerShell script you can provide that identifies those accounts?

    • Joseph Colvin 3 months ago

      I think it is really close to the commands Wolfgang pointed out….
      $acl = Get-ADUser -Identity “MyUser” | Get-Acl -Path “AD:$($_.DistinguishedName)”
      $acc = $acl.Access
      $acc | Select-Object identityreference, accesscontroltype
      $acc | Format-List *
      should tell you what fields you need.

  2. Ruffault 3 months ago

    Thanks, Can you provide a script to assign new owners (group ex admins domain) to computer objects.

  3. Pedro 3 months ago

    Hi Wofgang

    Nice commands.
    And ideas of powershell shell object tricks.
    It is nice that after many long years microsoft finally caught the ideas
    of unix shells like korn despite unix shells side no notion of objects.
    The “-PipelineVariable p” an example of kind of tee in pipes, perfect.
    Looks like you have a lot of posts.
    I will take a look.

  4. Tim 3 months ago

    I had an issue where the Owner of the WWA group was a Disabled user. The system alerted for auth failures and that was the only problem I found. There’s no information on the web about a situation like this, though ChatGPT states it could be the cause. It would be great if 4SysOps could do a series on these sub-system accounts.

  5. Ben 2 months ago

    Hi Wolfgang,

    setting new owners for those computer accounts is fine, but the former owner’s ExtendedRights on that object still remain even if the owner is changed afterwards.
    This should be considered as well.

    Kind regards,

Leave a reply

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account