BNNhelpdesk
asked on
Give ownership back to TrustedInstaller
I have written a batch file that does the following:
REM Grant Administrators group ownership of FILE1
REM --------------------
takeown /A /F FILE1
REM Grant Administrators group modify rights to FILE1
REM --------------------
icacls FILE1 /grant administrators:M
REM Replace FILE1 with FILE2
REM --------------------
copy "FILE2" "FILE1"
REM remove the rights granted to adminstrators group
REM --------------------
icacls FILE2 /grant:r administrators:RX
Is it possible to add another step to give ownership back to "NT SERVICE\TrustedInstaller" via command line tools??
Thanks in advance.
REM Grant Administrators group ownership of FILE1
REM --------------------
takeown /A /F FILE1
REM Grant Administrators group modify rights to FILE1
REM --------------------
icacls FILE1 /grant administrators:M
REM Replace FILE1 with FILE2
REM --------------------
copy "FILE2" "FILE1"
REM remove the rights granted to adminstrators group
REM --------------------
icacls FILE2 /grant:r administrators:RX
Is it possible to add another step to give ownership back to "NT SERVICE\TrustedInstaller" via command line tools??
Thanks in advance.
Ownership of files/folders in Windows cannot be given, it can only be taken.
See the following tool, takeown.exe and instructions on how to use it:
http://social.technet.microsoft.com/Forums/en-CA/ITCG/thread/5f4d6a1b-b955-49eb-8b68-fccc9ac047b3
http://social.technet.microsoft.com/Forums/en-CA/ITCG/thread/5f4d6a1b-b955-49eb-8b68-fccc9ac047b3
And you can give ownership to any account you want manually by right clicking on the file or folder > Security tab > Advanced > Owner tab > Other Users or Groups. Then make sure you select 'Replace owner on subcontainers and objects if it's a folder.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Qlemo, thanks for your response. However, it's not working. After typing the following command:
icacls FILE1 /setowner TrustedInstaller
I get this response:
No mapping between account names and security IDs was done.
Successfully processed 0 files; Failed processing 0 files
Any more help is appreciated.
Thanks.
icacls FILE1 /setowner TrustedInstaller
I get this response:
No mapping between account names and security IDs was done.
Successfully processed 0 files; Failed processing 0 files
Any more help is appreciated.
Thanks.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks josika, you lead me to the problem. I needed to specify...
icacls FILE1 /setowner "nt service\TrustedInstaller"
icacls FILE1 /setowner "nt service\TrustedInstaller"
Ok cool, everything is working now then?
ASKER
Here is the final solution... works when trying to modify a file owned by the trustedinstaller in C:\Windows.
You could probably modify this a little bit to take ownership of full directories, but I only needed to modify 1 file.
Enjoy.
icacls FILE1 /save %TEMP%\file.acl /Q
takeown /A /F FILE1
icacls FILE1 /grant administrators:F /Q
copy "FILE2" "FILE1"
icacls FILE1 /setowner "nt service\TrustedInstaller"
icacls location_of_FILE2 /restore %TEMP%\file.acl /Q
You could probably modify this a little bit to take ownership of full directories, but I only needed to modify 1 file.
Enjoy.
icacls FILE1 /save %TEMP%\file.acl /Q
takeown /A /F FILE1
icacls FILE1 /grant administrators:F /Q
copy "FILE2" "FILE1"
icacls FILE1 /setowner "nt service\TrustedInstaller"
icacls location_of_FILE2 /restore %TEMP%\file.acl /Q
Which is strange, since you did not need that some time ago ... But it does not work anymore without providing the full name "NT SERVICE\TrustedInstaller", as indicated.