What is a one sentence summary of your feature request?

Validate the owner of (almost) all AD Objects - Apply a low or high score/points depending on the object

Please describe your idea in detail. What is your problem, why do you feel this idea is the best solution, etc.

Currently there is already “P-DCOwner” wich validates, if the owner of the DC Computer object is OK ( pingcastle/PingCastle/Healthcheck/Rules/HeatlcheckRulePrivilegedDCOwner.cs at master · netwrix/pingcastle · GitHub ).
There should be way more objects validated depending on the object type, like the DSA object, GPO, Groups, (Admin)users..
Objects that might need to be skipped are often user created, and not likely to be abused objects or recreated/updated anyways. For example “Active Sync Devices”, “Bitlocker Keys”

The “Points” given in PingCastle should be 0 in default, but e.g a GPO with an non default Owner could raise it to 20 Points . If you got Owner on one of the “HealthcheckData.AllPrivilegedMembers” or “HealthcheckData.PrivilegedGroups” it could add another 30 Points. The Points are just an example.

How do you currently solve the challenges you have by not having this feature?

For other customers using PingCastle, this issue remains undetected if not manually detected.

I’d just like to add that the P-DCOwner already has a link that states there needs to be more validation:

Incorrect object owners

Some objects, created for more than 7 days, have non-standard owners.
Note: Only the first 20 objects are shown for the first 10000 owners.

All objects (users, groups, sMSA, gMSA, computers, OU, GPO) must be owned by one of the following objects:

• « Domain Admins » ;

• « Enterprise Admins » ;

• « Administrators » ;

• « Local System ».

Source: Active Directory Security Assessment Checklist