Windows File Server - Folder ownership problems and resolution

Published on
92,860 Points
15 Endorsements
Last Modified:
Community Pick
Freelancer, IT Consultant experienced on Microsoft server, AD and Messaging projects
Article outlines windows shared file / folder access issues because of folder ownership problems and demonstrates how to fix it with utilities like Takeown, Subinacl and SetACL
The article also outlines best practises to setup shared folder share and  NTFS permissions


I have seen many questions on Experts-Exchange regarding NTFS file folder access issues. These issues are caused by improper / unplanned NTFS permissions model. Majority of issues happens because of uneven folder ownership. Microsoft has provided native tools like icacls.exe OR takeown.exe to fix ownership issues but these utilities are not that effective as compared to Subinacl or SetACL.

The article demonstrates use of Subinacl and SetACL tools over Takeown built-in utility to resolve file / folder ownership and access issues seamlessly

Background Information

Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure is five levels deep. All shared folder access is granted on per user basis and no groups are defined, causing the folder access control list (ACL) to become exhausted.

The file server is part of one domain and since they have acquired another company, we have to grant the second company's users (another domain) appropriate rights to the file server data. The domain level trust is already in place.

The problem:

For many folders, administrators don’t have even read access and can’t even check folder ACL. They are unable to see the folder owner and are unable to access the folder as well and hence they are unable to handle file server access.

For example:


Folder-Access-2.jpgI went to folder properties, and it shows me that folder is empty, when in reality the folder is not empty, but I don’t have permission to view folder size.

Folder-Access-3.jpgI don’t have access to view the folder NTFS permissions, but I am able to view share permissions, and share permissions are full control for everyone.

I am even unable to see folder owner:

Folder-Access-4.jpgThe administrator can take folder ownership forcefully with the replace permissions option, but this will destroy existing file server permissions, which is not desirable.

Folder-Access-5.jpgIf I click here Yes now, all existing permissions will be destroyed by granting me full control (in addition to ownership) which is not the objective here. I have to click on No by force. I immediately got the following warning messages:




Unless I get folder ownership, I can’t add or modify anybody or myself on the folder access control list.


The root cause of this problem is that multiple users have Full Control NTFS permissions on the root folder. Some smart users have removed the built-in administrators group from the access control list and from the owners tab. The Creator Owner group is listed on the ACL of folders, as a fact the person \ user who creates files and folders automatically becomes the owner of those files and folders. The permissions model became complicated. User level access is granted instead of groups, which is difficult to track.

NTFS Folder ownership

  • Every object has an owner, whether the object is in an NTFS volume or in Active Directory Domain Services (AD DS). The owners can controls how permissions are set on the object and to whom permissions are granted.
  • An administrator who needs to repair or change permissions on a file must begin by taking ownership of the file if he does not have already.
  • By default, the owner is the entity that created the object. The owner can always change permissions on an object, even when the owner is denied all access to the object.

Ownership can be taken by

  • By default, the Administrators group is granted the Take ownership of files or other objects user right.
  • Any user or group who has the Take Ownership permission on the object.
  • A user who has the Restore files and directories user right.

Ownership can be transferred in the following ways:

  • The current owner can grant the Take Ownership permission to another user. The user must actually take ownership to complete the transfer.
  • A member of local administrators group can take ownership.
  • A user who has the Restore files and directories user right can double-click Other users and groups and choose any user or group to assign ownership to.



Folder-Access-8.jpgIf you look at above diagram, there is special group called CREATOR OWNER. This group is getting inherited from drive root and because of this group, the person who creates files and folders is automatically assigned ownership of those files and folders as long as this group is listed on the ACL.


I have shared folders with size from 10GB to 250GB; I need some method to take ownership of all folders without destroying existing folder permissions.

There are TWO options left:

Either I take folder ownership from top to bottom without destroying existing permissions


I need some user who already has got full control permissions on folder who can grant my admin account access to folder and from there I can take it ahead. There are multiple free tools available on the internet to accomplish this. Membership in the server local administrator group is the minimum prerequisite to use any tool.

Takeown – Built-in tool available in Windows-based systems for managing folder ownership

Takeown has its own limitations and can destroy existing NTFS permissions in addition to take folder ownership. In order to take ownership with the Takeown utility without destroying existing permissions, you must have read permissions at least on folder and files; otherwise you cannot take ownership. So the verdict is until you get ownership of all sub folders and files you have to run below TWO commands one by one again and again.

takeown /f <directory path> /r /a
/f stands for file \ folder
/r stands for recursive
/a stands for administrators group


Icacls <Directory Path> /grant administrators:f /t
/t switch will take care of sub folders and files
f stands for full control permission

takeown /f C:\TFolders /r /a
Icacls C:\Tfolders /grant administrators:f /t

Folder-Access-9.jpgIn above example Takeown has assigned ownership of the "C:\TFolders" folder root to only the administrators group, even you specify /r switch for recursive ownership because you do not have read permissions to subfolders and files. If you press Y in above command when prompted, all folder permissions will be destroyed and only your admin account would granted full control permissions. You can specify additional /D switch with Y OR N parameter to suppress every permission replacement prompt. You have only ownership of root folder; you still don’t have any ownership of subfolders, nor any permission on the root folder or subfolders.

This is the same case when you try to take folder ownership from the GUI in recursive mode:

Folder-Access-10.jpgIn the above snapshot, if you select yes, it will destroy existing folder permissions by granting you full control in addition to ownership.


Now that you have ownership of root folder, you need to run below command with the Icacls Windows built-in utility to grant administrators full control. This utility will grant administrators full control on root folder only because you don't have ownership of rest of subfolders and files yet.


Again you have to run Takeown utility to take ownership of further sub files and sub folders since you have access to the root folder.


Once you have ownership of further folders, again you need to assign permissions with the Icacls utility as shown below.

Folder-Access-14.jpgIn above diagram still there is one access denied error.You need to run both commands multiple times until you get ownership and access of entire folder. Then you can manage all aspects of that folder.


Subinacl – Free utility available from Microsoft


SetACL and Subinacl are very powerful tools and can do much more than Takeown. I prefer these tools over Takeown utility. The major advantage of these tools is that they can take ownership of entire folder, including subfolders and files regardless of access permissions in one shot without destroying existing permissions, even if you don’t have read permissions on the folder root, subfolders and files.

Syntax of command: 

Subinacl /noverbose /Subdirectories <Directory Path> <action parameter>

To take ownership of folder root:
Subinacl /noverbose /Subdirectories F:\Projects\1016120 /setowner=administrators
If folder name having spaces in name:
Subinacl /noverbose /Subdirectories "F:\Projects\My IMP Data" /setowner=administrators

To take ownership of all sub folders and files underneath root folder:
Subinacl /noverbose /Subdirectories F:\Projects\1016120\ /setowner=administrators
If folder name having spaces in name:
Subinacl /noverbose /Subdirectories "F:\Projects\My IMP Data\*" /setowner=administrators

To grant administrators full control on folder root:
Subinacl /noverbose /Subdirectories F:\Projects\1016120 /grant=administrators=f
If folder name contains spaces:
Subinacl /noverbose /Subdirectories "F:\Projects\My IMP Data" /grant=administrators=f

To grant administrators full control on all subfolders and files underneath folder root:
Subinacl /noverbose /Subdirectories F:\Projects\1016120\ /grant=administrators=f
If folder name contains spaces:
Subinacl /noverbose /Subdirectories "F:\Projects\My IMP Data\*" /grant=administrators=f

The example below shows how to take folder ownership and access with Subinacl tool. The tool can take ownership of all subfolders and files including root folder and can grant full control access to the built-in administrators group without destroying any existing permissions.


The Subinacl utility gives you one additional facility that allows you to back up NTFS security along with ownership on entire folder before making any chnages. In case you make a mistake during taking folder ownership or modifying folder access control list, you can restore entire NTFS access control list.

Syntax of command:

Subinacl /noverbose <action parameter> /subdirectories <Directory path>

To backup NTFS permissions of root folder:
Subinacl /noverbose /output=C:\TFolders_Root.txt /subdirectories C:\TFolders
If folder contain spaces:
Subinacl /noverbose /output=C:\MyData_Root.txt /subdirectories "C:\My Data"

To backup NTFS permissions of all sub folders and files underneath root folder:
Subinacl /noverbose /output=C:\TFolders_Child.txt /subdirectories C:\TFolders\
If folder contain spaces:
Subinacl /noverbose /output=C:\MyData_Child.txt /subdirectories "C:\My Data\*"

To restore NTFS permissions on folder root:
Subinacl /noverbose /playfile C:\TFolders_Root.txt

To restore NTFS permissions on sub folders:
Subinacl /noverbose /playfile C:\TFolders_Child.txt

The 1st command will restore security on root folder (C:\TFolders)
The 2nd command will restore security on all subfolders and files underneath folder root (C:\TFolders\*)

For example:

Folder-Access-18.jpgThe Subinacl command line reference help file is attached here subinacl.zip


The command line version is freeware. There is no need to install as it is a standalone .exe file. Download it, and use it from elevated command prompt. This utility also works great like Subinacl, capable of taking folder ownership and granting folder access without destroying existing folder permissions.

Syntax of command: 

SetAcl -on <Directory Path> -ot <object type> -actn <parameter> -rec cont_obj -silent
-on stands for "object name",the name of directory
-ot stands for "Object type"
-actn stands for action to be performed, setting up owner (setowner) in our case
-rec stands for recursive action, to be carried out on all sub folders and files (cont_obj)
-silent no output will be printed on screen.

To set owner on entire folder:
SetAcl -on C:\TFolders -ot file -actn setowner -ownr n:administrators -rec cont_obj -silent
If folder name contain spaces:
SetAcl -on "C:\My Imp Data" -ot file -actn setowner -ownr n:administrators -rec cont_obj -silent

To grant administrators group full control on entire folder:
SetAcl -on C:\TFolders -ot file -actn ace -ace "n:administrators;p:full" -rec cont_obj -silent
If folder name contain spaces:
SetAcl -on "C:\My Imp Data" -ot file -actn ace -ace "n:administrators;p:full" -rec cont_obj -silent

For example:

Folder-Access-16.jpgThe above command will assign entire folder ownership to the built-in administrators group and will grant full control access permissions without destroying any existing folder permissions. You can refer SetAcl online command reference for more information: https://helgeklein.com/setacl/documentation/command-line-version-setacl-exe/

Some best practices about setting up standard share folders to minimize management efforts:

  1. Always share folder with everyone full control share permissions.
  2. Control user access over NTFS access control list.
  3. In order to control user access over NTFS permissions, disable inheritance from advanced NTFS security page on the root share folder.
  4. Avoid granting users full control NTFS permissions on root shares and subfolders unless absolutely necessary.
  5. Ensure that the system account and server local administrators group has full control NTFS permissions on the root share and administrators group has root folder ownership as well. Never grant individual administrator full control NTFS permissions.
  6. Remove the Creator owner group from root share. This is the main culprit that can cause most of folder ownership and access issues. This will ensure that individual users never get subfolder and files ownership.
  7. Try to avoid granting deny permissions to users or groups on the NTFS access control list.
  8. Avoid granting permissions to individual users on shared folder access control list as far as possible.
  9. Instead of adding individual users on access control list, create global security groups and add required users to them, and grant these security groups appropriate rights on access control list.
  10. Under normal circumstances, with single level folder structure, you can define your folder structure permissions in such a way that authenticated users are granted with Read permissions with This folder Only as scope on root share folder. This will enable users to locate all folders under root folder but he won't be able to execute further folders unless he have explicit access on folders. Underneath root share folder, you can manage further folder permissions based on domain local or global security groups so that each folder will be accessed by users part of specified groups.
  11. In case folder structure is deep (3 to 4 levels such as Country \ state(s) \ City(s)) \ department(s)), and if data resides under department(s) folders, then grant authenticated users Traverse folder / Execute Files and List Folder / Read data from advanced permissions page on root share with This folder and Sub folders as scope. On each department folders Disable Inheritance from advanced permissions and only keep required security groups with desired permissions (modify etc), this will ensure that data resides in department folders will be accessible by respective department users only.
  12. The process to setup roaming profiles is bit different than above; by default these folders are not accessible to administrators. However you can apply group policies in advance on the server where you want to store roaming profiles so that built-in administrators group can have access to roaming profile folders if necessary. The GPO setting "Add the administrator’s security group to roaming user profiles" can be found under Computer configuration => Administrative templates => System => User profiles. A great article is already published on the TechNet blog to set up Roaming Profiles \ home directories: http://blogs.technet.com/b/askds/archive/2008/06/30/automatic-creation-of-user-folders-for-home-roaming-profile-and-redirected-folders.aspx
  13. Another option is to take complete roaming profile share ownership with SetACL OR Subinacl without destroying existing ACL, and then add the administrators group to the roaming profile root share. That will eventually be inherited by subsequent profile folders.

Please endorse this article if you found it useful.



  • 4
  • 2
  • 2
  • +2

Expert Comment

File shares on the C drive? I would address that before addressing other issues.
A key component for a file server is file shares on different Volumes than the C drive.

Certainly would not be having Access lists containing usernames and not security groups. It becomes unmanageable if this is avoidable get rid of the usernames.

Try getting the take ownership snap in for the context menu in windows google it and you can find it.
When you right click on a folder in Windows GUI you then have a take ownership button.
LVL 47

Author Comment

On system drive we do have default administrative shares only, we don't have to touch those folders normally.
I have taken C:\ drive folders for example only
In case of active directory you also have sysvol and netlogon shares as well, but we never touch those folders from either gui or command line unless there are weird issues

I have seen the registry hack which enables Take Ownership context menu.
Not very useful in production file servers:
It just grant you\administrators group ownership of folder, grant you full control on folder, wipe out existing security on folder and enable inheritance again.
This is not desirable when you need to retain existing security on share folder, because as already mentioned in article, in order to take ownership with takeown, you have to have at least read access on folders, If you don't have read access, it will ask you if you want to grant you full control on entire ACL and if you enter yes, it will wipe out existing security.

That is why I always prefer Subinacl \ SetAcl which are more powerful and useful than Takeown utility

Expert Comment

ye some of your tips are pretty cool thanks.
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.


Expert Comment

Good advice and very similar to the way I'm working. Only some comments/suggestions on your best practices:

I prefer Authenticated Users over Everyone (not really a great difference).
I prefer to remove Creator/Owner permission from the disk level as well as Users, so only Administrators and System have Full Access (if I don't forget it). One caveat: doing so on 2012 will cause you to disable UAC or to work on the commandline, you may create a folder with Explorer, but you can't access it, unless you add yourself to the ACL by username (although member of the Administrators Group). Because I'm not a friend of UAC on a Server, I disable it - and ACL stays simple.
LVL 47

Author Comment


There is slight difference between authenticated users and everyone
Everyone group contains Guest, IUSR & the IWAM accounts in addition to authenticated users \ domain users in trusted domains and forests
Previously anonymous users are part of everyone group, but with 2003 AD, it is removed

The Authenticated Users group includes all users whose identities were authenticated when they logged on. This includes local user accounts as well as all domain user accounts from trusted domains and forests
Authenticated users do not contains guest, ISSR, IWAM, Anonymous, local service and network service accounts.
Normally these accounts cannot logon to any machine to access shared resources and guest account is disabled by default unless you enable it

As a fact I really do not see noticeable difference between TWO, however you may use authenticated users instead of everyone
The major permissions control remains on NTFS permissions

Probably we need to disable UAC, otherwise it will unnecessarily prompting, in some organizations they have policy to keep UAC enabled

Normally I do want to clear Creator owner from share folder root at beginning, you can remove it from drive root, however I don't think it is required.

I observed on 2012 and above servers, If you are server administrator and if you trying to open share folder for which you don't have access on NTFS ACL, and you tried to access it through local path, it will prompt you popup so that you can click on continue and you will get access.

Expert Comment

by:Gaurav Chauhan
Many thanks for this detailed article this subinacl tool is just awesome far better than icacls,solved my greatest problem,  now I am surprised why this tool is mentioned nowhere this should be promoted as built in tool by Microsoft . Many thanks again.

Expert Comment

by:Tuaca Tom
For those looking for the download of SubinACL from Microsoft:
LVL 47

Author Comment

Link already provided in article under Subinacl section

Expert Comment

by:Tuaca Tom
The link originally provided was not to Microsoft (unless there was another one and I missed it).  Some of us work at companies or industries that cannot access “3rd party” download sites.

Great article, already put it to use on a project. Many thanks!!
LVL 47

Author Comment

The link is provided as hyperlink under subinacl section "subinacl"
This is the same link u posted
Because the tool published last in 2012
Anyways, thanks for comment
If u like article and find useful, please endorse it

Featured Post

Exploring ASP.NET Core: Fundamentals

Learn to build web apps and services, IoT apps, and mobile backends by covering the fundamentals of ASP.NET Core and  exploring the core foundations for app libraries.

This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month