change owner on ad objects in powershell

Kishwaukee
Kishwaukee used Ask the Experts™
on
I'm looking to do a massive change to a bunch of computers in AD.  These computer objects need the owner change to a different user account.  I am looking to use Set-ADComputer powershell command but I can't figure out what other options I need to use.

Thanks.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
When you say owner what exactly do you mean? I do not see any attribute listed as owner in active directory.

Author

Commented:
first you need to have advanced features turned on.  Then select an object and go to properties, then security, advanced, then the owner tab.  I can change them all this way however this will take way to long to do one by one, I need a massive change script.
Ok I see it now. That is actually the ACL of the object in active directory so you will not be able to change it using SET-ADCOMPUTER. To actually change that you would need to use a tool like DSACLS although Im not sure what the powershell equivalent is.

http://ss64.com/nt/dsacls.html
"Batchelor", Developer and EE Topic Advisor
Top Expert 2015
Commented:
Best to use get-acl, modify it, and than apply the change with set-acl (you will need to figure out yourself how to determine the corresponding computer object):
$obj = [LDAP]...
$acl = get-acl $obj
$acl.SetOwner([Security.Principal.NTaccount] "Domain\Login" )
set-acl -Path $obj -AclObject $acl

Open in new window

On the other hand, using external tools like dsacls is still a good idea, even in PowerShell; some stuff (like ACLs) are not handled in a comfortable way in PS.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial