Introduction
I have seen many questions on Experts-Exchange regarding NTFS file folder access issues. These issues are caused by improper / unplanned NTFS permissions model. Majority of issues happens because of uneven folder ownership. Microsoft has provided native tools like icacls.exe OR takeown.exe to fix ownership issues but these utilities are not that effective as compared to Subinacl or SetACL.
The article demonstrates use of Subinacl and SetACL tools over Takeown built-in utility to resolve file / folder ownership and access issues seamlessly
Background Information
Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure is five levels deep. All shared folder access is granted on per user basis and no groups are defined, causing the folder access control list (ACL) to become exhausted.
The file server is part of one domain and since they have acquired another company, we have to grant the second company's users (another domain) appropriate rights to the file server data. The domain level trust is already in place.
For many folders, administrators don’t have even read access and can’t even check folder ACL. They are unable to see the folder owner and are unable to access the folder as well and hence they are unable to handle file server access.
For example:
I went to folder properties, and it shows me that folder is empty, when in reality the folder is not empty, but I don’t have permission to view folder size.
I don’t have access to view the folder NTFS permissions, but I am able to view share permissions, and share permissions are full control for everyone.
I am even unable to see folder owner:
The administrator can take folder ownership forcefully with the replace permissions option, but this will destroy existing file server permissions, which is not desirable.
If I click here Yes now, all existing permissions will be destroyed by granting me full control (in addition to ownership) which is not the objective here. I have to click on No by force. I immediately got the following warning messages:
Unless I get folder ownership, I can’t add or modify anybody or myself on the folder access control list.
The root cause of this problem is that multiple users have Full Control NTFS permissions on the root folder. Some smart users have removed the built-in administrators group from the access control list and from the owners tab. The Creator Owner group is listed on the ACL of folders, as a fact the person \ user who creates files and folders automatically becomes the owner of those files and folders. The permissions model became complicated. User level access is granted instead of groups, which is difficult to track.
NTFS Folder ownership
Ownership can be taken by
Ownership can be transferred in the following ways:
CREATOR OWNER
If you look at above diagram, there is special group called CREATOR OWNER. This group is getting inherited from drive root and because of this group, the person who creates files and folders is automatically assigned ownership of those files and folders as long as this group is listed on the ACL.
I have shared folders with size from 10GB to 250GB; I need some method to take ownership of all folders without destroying existing folder permissions.
There are TWO options left:
Either I take folder ownership from top to bottom without destroying existing permissions
OR
I need some user who already has got full control permissions on folder who can grant my admin account access to folder and from there I can take it ahead. There are multiple free tools available on the internet to accomplish this. Membership in the server local administrator group is the minimum prerequisite to use any tool.
Takeown – Built-in tool available in Windows-based systems for managing folder ownership
Takeown has its own limitations and can destroy existing NTFS permissions in addition to take folder ownership. In order to take ownership with the Takeown utility without destroying existing permissions, you must have read permissions at least on folder and files; otherwise you cannot take ownership. So the verdict is until you get ownership of all sub folders and files you have to run below TWO commands one by one again and again.
takeown /f <directory path> /r /a
where
/f stands for file \ folder
/r stands for recursive
/a stands for administrators group
AND
Icacls <Directory Path> /grant administrators:f /t
/t switch will take care of sub folders and files
f stands for full control permission
Example:
takeown /f C:\TFolders /r /a
Icacls C:\Tfolders /grant administrators:f /t
In above example Takeown has assigned ownership of the "C:\TFolders" folder root to only the administrators group, even you specify /r switch for recursive ownership because you do not have read permissions to subfolders and files. If you press Y in above command when prompted, all folder permissions will be destroyed and only your admin account would granted full control permissions. You can specify additional /D switch with Y OR N parameter to suppress every permission replacement prompt. You have only ownership of root folder; you still don’t have any ownership of subfolders, nor any permission on the root folder or subfolders.
This is the same case when you try to take folder ownership from the GUI in recursive mode:
In the above snapshot, if you select yes, it will destroy existing folder permissions by granting you full control in addition to ownership.
Now that you have ownership of root folder, you need to run below command with the Icacls Windows built-in utility to grant administrators full control. This utility will grant administrators full control on root folder only because you don't have ownership of rest of subfolders and files yet.
Again you have to run Takeown utility to take ownership of further sub files and sub folders since you have access to the root folder.
Once you have ownership of further folders, again you need to assign permissions with the Icacls utility as shown below.
In above diagram still there is one access denied error.You need to run both commands multiple times until you get ownership and access of entire folder. Then you can manage all aspects of that folder.
Subinacl – Free utility available from Microsoft
SetACL and Subinacl are very powerful tools and can do much more than Takeown. I prefer these tools over Takeown utility. The major advantage of these tools is that they can take ownership of entire folder, including subfolders and files regardless of access permissions in one shot without destroying existing permissions, even if you don’t have read permissions on the folder root, subfolders and files.
Syntax of command:
Syntax:
Subinacl /noverbose /Subdirectories <Directory Path> <action parameter>
Ex:
To take ownership of folder root:
Subinacl /noverbose /Subdirectories F:\Projects\1016120 /setowner=administrators
If folder name having spaces in name:
Subinacl /noverbose /Subdirectories "F:\Projects\My IMP Data" /setowner=administrators
To take ownership of all sub folders and files underneath root folder:
Subinacl /noverbose /Subdirectories F:\Projects\1016120\ /setowner=administrators
If folder name having spaces in name:
Subinacl /noverbose /Subdirectories "F:\Projects\My IMP Data\*" /setowner=administrators
To grant administrators full control on folder root:
Subinacl /noverbose /Subdirectories F:\Projects\1016120 /grant=administrators=f
If folder name contains spaces:
Subinacl /noverbose /Subdirectories "F:\Projects\My IMP Data" /grant=administrators=f
To grant administrators full control on all subfolders and files underneath folder root:
Subinacl /noverbose /Subdirectories F:\Projects\1016120\ /grant=administrators=f
If folder name contains spaces:
Subinacl /noverbose /Subdirectories "F:\Projects\My IMP Data\*" /grant=administrators=f
The example below shows how to take folder ownership and access with Subinacl tool. The tool can take ownership of all subfolders and files including root folder and can grant full control access to the built-in administrators group without destroying any existing permissions.
The Subinacl utility gives you one additional facility that allows you to back up NTFS security along with ownership on entire folder before making any chnages. In case you make a mistake during taking folder ownership or modifying folder access control list, you can restore entire NTFS access control list.
Syntax of command:
Subinacl /noverbose <action parameter> /subdirectories <Directory path>
To backup NTFS permissions of root folder:
Subinacl /noverbose /output=C:\TFolders_Root.txt /subdirectories C:\TFolders
If folder contain spaces:
Subinacl /noverbose /output=C:\MyData_Root.txt /subdirectories "C:\My Data"
To backup NTFS permissions of all sub folders and files underneath root folder:
Subinacl /noverbose /output=C:\TFolders_Child.txt /subdirectories C:\TFolders\
If folder contain spaces:
Subinacl /noverbose /output=C:\MyData_Child.txt /subdirectories "C:\My Data\*"
To restore NTFS permissions on folder root:
Subinacl /noverbose /playfile C:\TFolders_Root.txt
To restore NTFS permissions on sub folders:
Subinacl /noverbose /playfile C:\TFolders_Child.txt
The 1st command will restore security on root folder (C:\TFolders)
The 2nd command will restore security on all subfolders and files underneath folder root (C:\TFolders\*)
For example:
The Subinacl command line reference help file is attached here subinacl.zip
The command line version is freeware. There is no need to install as it is a standalone .exe file. Download it, and use it from elevated command prompt. This utility also works great like Subinacl, capable of taking folder ownership and granting folder access without destroying existing folder permissions.
Syntax of command:
SetAcl -on <Directory Path> -ot <object type> -actn <parameter> -rec cont_obj -silent
Where
-on stands for "object name",the name of directory
-ot stands for "Object type"
-actn stands for action to be performed, setting up owner (setowner) in our case
-rec stands for recursive action, to be carried out on all sub folders and files (cont_obj)
-silent no output will be printed on screen.
Ex:
To set owner on entire folder:
SetAcl -on C:\TFolders -ot file -actn setowner -ownr n:administrators -rec cont_obj -silent
If folder name contain spaces:
SetAcl -on "C:\My Imp Data" -ot file -actn setowner -ownr n:administrators -rec cont_obj -silent
To grant administrators group full control on entire folder:
SetAcl -on C:\TFolders -ot file -actn ace -ace "n:administrators;p:full" -rec cont_obj -silent
If folder name contain spaces:
SetAcl -on "C:\My Imp Data" -ot file -actn ace -ace "n:administrators;p:full" -rec cont_obj -silent
For example:
The above command will assign entire folder ownership to the built-in administrators group and will grant full control access permissions without destroying any existing folder permissions. You can refer SetAcl online command reference for more information: https://helgeklein.com/setacl/documentation/command-line-version-setacl-exe/
Some best practices about setting up standard share folders to minimize management efforts:
Please endorse this article if you found it useful.
Mahesh.
Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.
Comments (11)
Commented:
https://www.microsoft.com/en-us/download/details.aspx?id=23510
Author
Commented:Link already provided in article under Subinacl section
Commented:
The link originally provided was not to Microsoft (unless there was another one and I missed it). Some of us work at companies or industries that cannot access “3rd party” download sites.
Great article, already put it to use on a project. Many thanks!!
Author
Commented:This is the same link u posted
Because the tool published last in 2012
Anyways, thanks for comment
If u like article and find useful, please endorse it
Commented:
View More