Script to Recurse Certain Directorys and Change Owner & Permissions

Ecompro used Ask the Experts™
Users have about 800 users with roaming profiles on a drive-- call it E:\User_Profiles (which is shared out to the network).   Profiles are stored in the format:


And so forth.  We're trying to do a wildcard copy of all files inside E:\User_Profiles to another disk.  

  xcopy E:\User_Profiles\*.* J:\User_Profiles\  /C /E /Y

Under each profile is the obligatory "My Documents" folder.  All profiles are readable to the Administrators group-- except the "My Documents" folder.   For whatever reason Administrators have no permission on each user's My Documents folder. This prevents copying with an "access denied" error.

We have to goto each profile, take ownership of My Documents, add permission for Administrators, then give ownership back to the user.

For 5 users this would be ok, but for 800 users this is an unworkable solution.

Can somone suggest a script that will recurse the entire E:\User_Profiles directory tree, and add the Administrators group with Full Control permissions to every "My Documents" folder in the tree?

If permissions cannot be added without taking ownership first, the script would have to detect the current owner (which appears to always be the user of the profile), temporarily change owner to Administrators, add full control permissions for Administrators, then return ownership to the original owner.

Suggestions, please.  Thanks in advance.

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

I have a kixtart script already that does this.
It uses the AD username as the basis.  My script searches the AD user accounts, then finds the matching folder name,  and resets the permissions and makes the user the owner
So, if your user accounts are bob.smith and the folder is bob.smith it will work.

For your case, You can take ownership of the folders, move/copy them to the new location and then run my script.
On the new folder just set the Domain Admins at the top level folder and allow inheritance.  My script does not specifically add Administrators for access.

If your username in AD is different then please describe that, ie. what info can we use from AD to build a name that matches the folder.

kixtart32 script.kix

You can create some test folder structure first to verify it does what you need.  
In the script (text file type) you have to set your Domain and the Root/Scan folder - at the top of the script

$ScanFolder = "e:\folder"
$DomainName = "Domain"
$DomObj = getobject("WinNT://@LDomain")
$DomObj.filter = "user",""
for each $user in $DomObj
    $username = $
    $userhome = TranslateName (3, "", 3, "@LDomain\$username", 1)
    $userinfo = GetObject("LDAP://" + $userhome[0])
        $TempUser = $userinfo.sAMAccountName
       $UserFolder = $ScanFolder + "\" + $TempUser
        $FullName = $DomainName + "\" + $TempUser
       if Exist($UserFolder) = 1
           ? "Process folder: " + $UserFolder
               RUN ('ICACLS $UserFolder /grant $FullName:(CI)f /T')
            ? "Process Ownership :" + $FullName
               RUN ('ICACLS $UserFolder /setowner $FullName /T')
? "Finished"

; TranslateName function authored by Howard A. Bullock
Function TranslateName ($InitType, $BindName, $LookupNameType, $LookupName, $ReturnNameType)
    Dim $InitType, $BindName, $LookupNameType, $LookupName, $ReturnNameType
    Dim $NameTranslate, $ReturnName, $Error, $ErrorText
    $Error = 0
    $ErrorText = ""
    $ReturnName = ""
    $NameTranslate = CREATEOBJECT ("NameTranslate")
    $Error = @error
    $ErrorText = @serror
    if $Error = 0
        $NameTranslate.Init ($InitType, $BindName)
        $Error = @error
        $ErrorText = @serror
        if $Error = 0
            $NameTranslate.Set ($LookupNameType, $LookupName)
            $Error = @error
            $ErrorText = @serror
            if $Error = 0
                $ReturnName = $NameTranslate.Get($ReturnNameType)
                $Error = @error
                $ErrorText = @serror
    $TranslateName = $ReturnName, $Error, $ErrorText

If you have the access denied, then you should check that folder manually and see if you can add permissions manually for the folder.  Otherwise, you will need to take control before you can add the permissions.

If you can add Administrators to the MyDocuments folder without taking control then I can adjust the script to just include Administrators (just add them).

I mentioned before about copying the folders, which is optional.

If you want to fix the permissions on your current folders then I would do the following:
1. Take ownership as admin at the top level and apply to all child objects
2. Set your permissions on the Top level folder (administrators Full, creator/owner Full, etc,) and set them to inherit to children folders.
3.  Then run my script and it will reset the permissions on the subfolders.

If you want to copy after this then you should have access as an admin.
Exploring SharePoint 2016

Explore SharePoint 2016, the web-based, collaborative platform that integrates with Microsoft Office to provide intranets, secure document management, and collaboration so you can develop your online and offline capabilities.


I believe the problem with going to the directory root (E:\User_Profiles) and propagating permissions downward is that any permissions that are set at the root, but not on individual profile directories, will suddenly be present on those subdirectories.  But assuming we could work around that, one other question--

How does your script handle directories that are named diffrently than the username?  For example, user was originally set up as Suzie.Smith and that's how her profile directory was named.  Then she got married and her username changed to Suzie.Jones, but the directory name stayed the same.  Out of 800 users, we have quite a few users whose names have changed over the years due to marriage, divorce, etc., so their profile directory name is no longer an exact match to the username.

I'm still hoping someone can suggest a script that does not rely on AD-- and will do the following:

Recurse E:\User_Profiles.  For each profile directory:

  a)  Read username of current owner.
  b)  Take ownership of the profile directory and propagate down to all subdirectories and objects.
  c)  Add Full Control permissions for Adminsitrators group and propagate down to all subdirectories and objects.
  d)   Revert ownership back to the user discovered in step (a) above.


Correction.  Step (d) above should read:

d)   Revert ownership back to the user discovered in step (a) above and propagate down to all subdirs & objects.

my script was made for a different purpose but it can reset permissions.
It does rely on the AD username, but if you have a lot of changed user names which don't correspond to the folder name then my script will fail on those folders.
When I setup these types of folders I set the admin access at the root and let it propagate down through the user folders.  It doesn't have to be that way.

The algorithm you described is better suited to your task.
If I have some time I will see if I can adjust my script.

here is a new kixtart script.

It will do as you requested:

a)  Read username of current owner.
  b)  Take ownership of the profile directory and propagate down to all subdirectories and objects.
  c)  Add Full Control permissions for Adminsitrators group and propagate down to all subdirectories and objects.
  d)  Add user (step a) Full control and  set ownership back to the user discovered in step (a) above.

set your Domain Admin account and the basedir.


$AdminName= "Domain\domain admins"
$basedir = "E:\111"

$Name = Dir("$basedir")
While $Name <> "" and @ERROR = 0
  If ($Name <> ".") And ($Name <> "..") And (GetFileAttr($basedir+"\"+$name) & 16)
     $Folder = $basedir + "\" + $Name
     $Owner = GetOwner($Folder)
     $FullName = $Owner[1] + "\" + $Owner[0]
     ? "Process Folder:  " + $Folder + "      Owner: " + $FullName
     RUN ("TAKEOWN /F " + $Folder + " /R /D N")
     RUN ('ICACLS $Folder /grant "$AdminName":(CI)f /T')
     RUN ('ICACLS $Folder /grant $FullName:(CI)f /T')
     RUN ('ICACLS $Folder /setowner $FullName /T')

  $Name = Dir()

? "Finished"


;FUNCTION      GetOwner($fileinput)
;AUTHOR            BrianTX
;ACTION            Gets the Owner of a file's username and domain and
;            returns them in the form of an array.
;SYNTAX            GetOwner($fileinput)
;PARAMETERS      $fileinput (Required) -  Name of a file including the
;            full path. UNC names are NOT supported.
;REMARKS      This UDF is designed to allow processing on files based
;            on who their owner is.
;RETURNS      Always an array of 2 dimensions -- username, domain
;            Invalid filenames will return an array of 2 blank columns.
;DEPENDENCIES      Windows NT 4.0 or later (with WMI installed)
;EXAMPLE      $Owner = GetOwner("M:\testfile.txt")
;            RETURNS:
;            $Owner[0] = "MyUserID"
;            $Owner[1] = "MYDOMAIN"
;NOTE            Sometimes the domain returns as BUILTIN instead of the
;            actual domain, especially when there is group ownership.

Function GetOwner($fileinput)
 $SIDObj = $wmiobj.ExecQuery("ASSOCIATORS OF {Win32_LogicalFileSecuritySetting='$fileinput'}
                              WHERE AssocClass=Win32_LogicalFileOwner ResultRole=Owner")
 For each $SID in $SIDobj
 $GetOwner = $SID.AccountName, $SID.ReferencedDomainName
 If VarType($GetOwner)=0 $GetOwner = "","" ENDIF  

you will need the util called takeown.exe     
link in that page for the download

also, run that script under an Admin level account so that the takeown.exe can take ownership.

Also, if you only have user accounts in 1 domain then you may want to change this line.  The script function I copied says that it may return BUILTIN for some groups if they have ownership of the folder.
If you are sure that only user accounts have ownership then it should not matter.

$FullName = $Owner[1] + "\" + $Owner[0]

to your Domain

$FullName = "Domain\" + $Owner[0]


Thanks for the effort you put into this answer.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial