Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

How can I seize ownership of a directory using Powershell?

Posted on 2009-05-05
6
1,899 Views
Last Modified: 2012-05-06
I have a script that I utilized to correct errant security permissions on users home directories. The script eroors on folders where I don't have explicit permissions, however. Looking at a sampling of them, the only way I can get permission on them is to seize ownership of them, then modify the permissions appropriately, and set the Owner to the correct one. Is there a way to seize ownership via Powershell? Attached is the script that I have been using.

Thanks in advance for any help!
###
### This script will change the permissions on the immediate subfolders of \\chstor1\home 
### to give the following (By inheriting thge first 3, and explicitly setting the 4th):
### Domain Administrators: Full Control
### IT - - Helpdesk 2 : Full Control
### SVC_DataBackup : Read
### End User: Modify
###
 
$ErrorActionPreference = "Continue"
Set-Location e:\Data\Home
$Mismatches = "e:\data\home\Mismatches.txt"
$Inherit = [System.Security.AccessControl.InheritanceFlags]"ContainerInherit, ObjectInherit"
$propogation = [System.Security.AccessControl.PropagationFlags]"None"
 
if (Test-Path $Mismatches) {
Clear-Content $Mismatches
}
else {
New-Item $Mismatches -Type File
}
 
$Foldername = Get-ChildItem * | Where-Object {$_.attributes -match "Directory"}
 
foreach ($Fullpath in $Foldername) {
$ACLBase = Get-Acl e:\Data\Home\
### Uncomment the following line to verify default permissions during step debugging
#Set-Acl -Path $Fullpath -AclObject $ACLBase
$username = $Fullpath.Name
$AddACL = "advocatesinc\$username", "Modify", $Inherit, $propogation, "Allow"
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $AddACL
 
### Error Handling for directories that don't have a matching username
Trap [Exception] {
  Write-Host "Error occurred, ignoring it"
  Add-Content $Mismatches "Missing account $username"
  Continue;
}
$ACLBase.SetAccessRule($AccessRule)
$ACLBase | Set-Acl $Fullpath 
}

Open in new window

0
Comment
Question by:tilbard
  • 3
  • 3
6 Comments
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24304221

There's a SetOwner Method of the $ACLBase object above. To use that you need to construct an IdentityReference.

Something like the below.

You should be able to happily change between possible owners as listed when you look at  the same option in the GUI.

Chris
# Create an Identity Reference for the Local Administrators Group
$LocalAdminGroup = `
  New-Object System.Security.Principal.NTAccount("BUILTIN", "Administrators")
# Call SetOwner on the current ACL
$ACLBase.SetOwner($LocalAdminGroup)
# Apply the updated ACL
Set-ACL $FullPath -AclObject $ACLBase

Open in new window

0
 
LVL 1

Author Comment

by:tilbard
ID: 24304584
After adding that it still generates the same error regarding an Unauthorized action. After doing a bit of browsing, I found some workarounds though. Specifically by calling takeown.exe (referenced here: http://justanothersysadmin.wordpress.com/2008/03/22/take-ownership-of-files-and-folders-through-script/#more-13). While obviously not the best way to do it (it just rubs me wrong calling an external program for what should work), I'm a bit time constrained, so had to go with that for now. I'll leave the question open for now, and add the exact error it generates after it finishes with the takeown.exe method, as I still want to figure out WHY it wouldn't work (for personal knowledge if nothing else).
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24304727

Hmmm sorry I neglected to strip my read permission prior to changing the owner. It's rather disappointing, it seems overriding ownership when you have no access is a bit of a back door, something that PowerShell seems unable to utilise.

I'll keep looking, but it's not looking all that promising.

Chris
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 1

Author Comment

by:tilbard
ID: 24306006
One last question before I assign points (You'll get them either way though, don't worry. ;) ). When running the script, the unauthorized action error isn't being caught by the trap. Is there anyway to trap that so that I don't have to run takeown.exe against directories that don't have any trouble? As you can imagine, it adds quite a bit of time to the script if it runs it against every folder, since it has to recurse through each one. Being able to call it within the trap would speed things up quite a bit, and make the output a bit more readable.
0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 24306135

We'd could trap it like this.

Chris
Set-Variable -Name "Unauthorised" -Value $False -Scope Script
Trap [System.UnauthorizedAccessException] { 
  $Script:Unauthorised = $True; Continue;
}
Get-ACL $Fullpath.FullName
If ($Script:Unauthorised) {
  # Reset Ownership Here 
}
# Otherwise carry on with setting the permissions

Open in new window

0
 
LVL 1

Author Closing Comment

by:tilbard
ID: 31577982
Worked great, thanks!
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Windows 10 came with  a lot of built in applications, Some organisations leave them there, some will control them using GPO's. This Article is useful for those who do not want to have any applications in their image (example:me).
The Nano Server Image Builder helps you create a custom Nano Server image and bootable USB media with the aid of a graphical interface. Based on the inputs you provide, it generates images for deployment and creates reusable PowerShell scripts that …
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question