Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/the-useless-one/pywerview/llms.txt

Use this file to discover all available pages before exploring further.

get-objectowner reads the nTSecurityDescriptor of any Active Directory object and extracts the owner field from its security descriptor. Ownership in Active Directory carries implicit permissions — an owner can always modify the DACL of their own object, making this information highly relevant during privilege-escalation analysis. The command accepts the same flexible object identifiers as get-adobject (SID, samAccountName, or display name, with wildcard support) and optionally resolves raw owner SIDs into their corresponding distinguished names for readability.

Synopsis

pywerview get-objectowner -t <DC_IP> -w <DOMAIN> -u <USER> -p <PASSWORD> \
    [--sid <SID> | --sam-account-name <SAM> | --name <NAME>] \
    [-d <DOMAIN>] [-a <ADS_PATH>] \
    [--custom-filter <FILTER>] \
    [--resolve-sids] \
    [--json] [-l LEVEL]

Parameters

Connection

-t, --dc-ip
string
required
IP address of the Domain Controller to target.
-w, --workgroup
string
Name of the domain used for authentication (e.g. contoso.com).
-u, --user
string
Username to authenticate with against the Domain Controller.
-p, --password
string
Password associated with the user account.
--hashes
string
NTLM hashes for pass-the-hash authentication. Format: [LMHASH:]NTHASH.
-k
boolean
Use Kerberos authentication. Credentials are read from the ccache file referenced by the KRB5CCNAME environment variable. Falls back to command-line credentials if no valid ticket is found.
--tls
boolean
Force a TLS-encrypted connection to the Domain Controller.
--simple-auth
boolean
Force SIMPLE LDAP authentication instead of the default NTLM/SASL binding.

SChannel (Certificate Authentication)

--cert
string
Path to the certificate file associated with the user account, used for SChannel-based authentication.
--key
string
Path to the private key file associated with the user certificate.

Object Selection

--sid
string
SID of the object whose owner you want to retrieve. Wildcards are accepted.
--sam-account-name
string
samAccountName of the object to look up. Wildcards are accepted (e.g. svc_*).
--name
string
Display name of the object to look up. Wildcards are accepted (e.g. Domain*).
-d, --domain
string
The domain to query. Defaults to the domain of the authenticated user.
-a, --ads-path
string
Additional ADS path to restrict the LDAP search base (e.g. OU=Groups,DC=contoso,DC=com).
--custom-filter
string
A raw LDAP filter string appended to the generated query, enabling arbitrary filtering beyond the built-in selectors.

Resolution

--resolve-sids
boolean
Resolve the owner SID to its distinguished name. Without this flag, the raw SID string is returned.

Output

--json
boolean
Print results as JSON instead of the default human-readable format.
-l, --logging-level
string
Verbosity of log output written to stderr. Choices: CRITICAL (default), WARNING, DEBUG, ULTRA.

Usage Examples

# Get the owner SID of a user object
pywerview get-objectowner -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com \
    --sam-account-name bob

# Resolve the owner SID to a distinguished name
pywerview get-objectowner -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com \
    --sam-account-name bob --resolve-sids

# Find the owner of a privileged group
pywerview get-objectowner -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com \
    --name 'Domain Admins' --resolve-sids

# Enumerate owners of all objects matching a wildcard and resolve SIDs
pywerview get-objectowner -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com \
    --name 'svc_*' --resolve-sids

# Query by SID with JSON output for scripting
pywerview get-objectowner -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com \
    --sid S-1-5-21-3623811015-3361044348-30300820-1104 --resolve-sids --json

# Authenticate with NTLM hashes
pywerview get-objectowner -t dc.contoso.com -u alice --hashes :aad3b435b51404eeaad3b435b51404ee \
    -w contoso.com --name 'Enterprise Admins' --resolve-sids

SChannel Support

Certificate-based SChannel authentication is supported via --cert and --key. Combine with --tls to connect over LDAPS. 
pywerview get-objectowner -t dc.contoso.com --tls \
    --cert user.pem --key user.key \
    -w contoso.com --sam-account-name bob --resolve-sids

Build docs developers (and LLMs) love

Get started for freeTalk to us