WriteOwner cleanup has three parts: restore the owner, remove the ACE added after ownership was taken, and undo the final abuse action.
Restore the owner:
Set-DomainObjectOwner -TargetIdentity 'svc_web' -OwnerIdentity 'Domain Admins'
Set-DomainObjectOwner -TargetIdentity 'ACL Operators' -OwnerIdentity 'Domain Admins'
Remove the added ACE:
dsacls "CN=Web Service,OU=Service Accounts,OU=OOTW Lab,DC=ootw,DC=local" /R "OOTW\ben.carter"
dsacls "CN=ACL Operators,OU=Groups,OU=OOTW Lab,DC=ootw,DC=local" /R "OOTW\ben.carter"
Remove added membership:
Remove-ADGroupMember -Identity 'ACL Operators' -Members 'alice.wright' -Confirm:$false
Cleanup ownership is safest when the original owner was recorded before the abuse. If it was not recorded, roll back the lab snapshot.
Events:
4670 - Permissions on an object were changed
4662 - Operation performed on object
5136 - Directory object modified
4728 / 4732 - Group membership changes after ownership takeover
4724 - Password reset after ownership takeover
Hunt for:
owner changes on users, groups, computers, OUs, or GPOs
owner change followed by DACL change
DACL change followed by password reset or group modification
Remediation:
- remove unnecessary WriteOwner rights
- monitor ownership changes on sensitive objects
- record and review privileged object owners
- protect admin objects from inherited delegation mistakes
- run regular BloodHound or ACL review for WriteOwner edges