I was looking into ways to get the owner of an Active Directory user. I looked at VBScript and C#.NET. While searching for code and while looking at the objects available in .NET using the object browser I found this MSDN blog entry by Alex Tcherniakhovski.
Extracting object ownership information from Active Directory into SQL
One fact mentioned near the bottom of the blog entry is yet another testimony to keep the Domain Admins group small.
Yet another reason to keep Domain Admins group small.
VBScript
Option Explicit Dim sADDN,objUser,objNtSecurityDescriptor sADDN = "LDAP://YourContextHere" Set objUser = GetObject (sADDN) Set objNtSecurityDescriptor = objUser.Get("ntSecurityDescriptor") WScript.Echo "Current owner of this item: " & objNtSecurityDescriptor.Owner
C#.NET
References Used
Name: System.DirectoryServices
Path: C:\Program Files\Reference Assemblies\Microsoft\Framework\.NETFramework\v4.5.1\System.DirectoryServices.dll
Version: 4.0.0.0
Name: System.DirectoryServices.AccountManagement
Path: C:\Program Files\Reference Assemblies\Microsoft\Framework\.NETFramework\v4.5.1\System.DirectoryServices.AccountManagement.dll
Version: 4.0.0.0
Name: Active DS Type Library
Path: C:\Windows\System32\activeds.tlb
Version: 1.0
File Version: 6.1.7600.16385(win7_rtm.090713-1255)
using System; using System.Security.Principal; using System.DirectoryServices; using System.DirectoryServices.ActiveDirectory; using System.DirectoryServices.AccountManagement; using ActiveDs; namespace ADOwner { class Program { static void Main(string[] args) { string ADDomain = "yourdomain.com"; string ADUser = "youraduser"; string ADPass = "youradpass"; string ADsAMAccountName = "YOURDOMAIN\\USERNAMEHERE"; using (var pc = new PrincipalContext(ContextType.Domain, ADDomain, ADUser, ADPass)) { // get UserPrincipal Object UserPrincipal inetPerson = UserPrincipal.FindByIdentity(pc, IdentityType.SamAccountName, ADsAMAccountName); // Get Directory Entry Object DirectoryEntry de = inetPerson.GetUnderlyingObject() as DirectoryEntry; // Get Active Directory Security Object ActiveDirectorySecurity ads = de.ObjectSecurity; // Get sid Object SecurityIdentifier sid = new SecurityIdentifier(ads.GetOwner((typeof(SecurityIdentifier))).Value); // Translate sid to account NTAccount account = (NTAccount)sid.Translate(typeof(NTAccount)); // Get owner string Console.WriteLine("Owner: {0}",account.ToString()); Console.ReadKey(); } } } }
Resources to investigate using Perl