WriteOwner basically allow us to become the owner of the object, granting us GenericAll or GenericWrite .
Same as the other ACEs, open ADSI Edit and browse to your target account, in my case a.king. Right click it, go to the security tab and click on advanced. Select the principal you want to grant this privilege over. I'll use Infrastructure Managers.
As mentioned previously, is more unreliable.
Written by ruycr4ft
Last updated
$MyAdmin = (get-adgroup "Infrastructure Managers").sid
$MyUser = (get-aduser a.king)
$MyDistinguishedName = ($Myuser).distinguishedname
$MyDistinguishedNameAD = $MyDistinguishedName = "AD:$MyUser"
$MyACL= Get-ACL $MyDistinguishedNameAD
$MyADRights = [System.DirectoryServices.ActiveDirectoryRights] "WriteOwner" # change to the preferred ACE
$MyType = [System.Security.AccessControl.AccessControlType] "Allow"
$MyInheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
$MyACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $MyAdmin,$MyADRights,$MyType,$MyInheritanceType
$MyACL.AddAccessRule($MyACE)
Set-acl -aclobject $MyACL $MyDistinguishedNameAD
(Get-ACL "AD:$((Get-ADUser -Identity 'a.king').distinguishedname)").access | Select IdentityReference, AccessControlType, ActiveDirectoryRights | Where-Object {$_.ActiveDirectoryRights -contains "WriteOwner"}