Solved

Powershell: Change NTFS file owner from A to B

Posted on 2014-02-11
10
719 Views
Last Modified: 2016-06-24
Hi Experts,

Does someone have a script that will search recursively for files that are owned by user1 and if a file is found; change the owner to user2?

I found 1000s of files that are owned by a user who no longer exists in the domain (The owner samaccount name is a "SID").

Thanks,

A.
0
Comment
Question by:Angeal
  • 5
  • 4
10 Comments
 
LVL 29

Expert Comment

by:becraig
ID: 39851726
This should work:
$objUser = New-Object System.Security.Principal.NTAccount("Domain", "NEW-user"); 
gci c:\path -recurse | % {
$fileacl = Get-Acl $_.FullName 
if ($fileacl.owner -eq "domain\olduser")
{
write-host "starting to process..." -fore yellow
$file = gi $_.FullName
$acl=$file.GetAccessControl()
$acl.SetOwner($objUser)
$file.SetAccessControl($acl)
}
}

Open in new window

0
 

Author Comment

by:Angeal
ID: 39853730
Hi becraig,

Thanks for your help. Unfortunately, the script didn't work. I'm running PS as an admin, and when the script is run ,there are no errors, and the "starting to process...." isn't showing up in yellow.

I assume because it's not finding the owner of the file, which is "S-1-5-21-1472472331-4045499139-997351866-1104". I tried changing line 4 to:

if ($fileacl.owner -eq "olduser")

with the same result.

Any ideas?

Thanks,

A.
0
 
LVL 29

Expert Comment

by:becraig
ID: 39853741
if ($fileacl.owner -eq "olduser")  should be in the format domain\user
0
 

Author Comment

by:Angeal
ID: 39854026
It doesn't work:

$objUser = New-Object System.Security.Principal.NTAccount("IT", "MrSmith"); 
gci "G:\ServerFolders\Public\" -recurse | % {
$fileacl = Get-Acl $_.FullName 
if ($fileacl.owner -eq "IT\S-1-5-21-1472472331-4045499139-997351866-1104")
{
write-host "starting to process..." -fore yellow
$file = gi $_.FullName
$acl=$file.GetAccessControl()
$acl.SetOwner($objUser)
$file.SetAccessControl($acl)
}
}

Open in new window

0
 
LVL 29

Expert Comment

by:becraig
ID: 39854044
S-1-5-21-1472472331-4045499139-997351866-1104 is not a username it is a sid

You can probably find the username the SID translates to by doing a quick "wmic useraccount"  and seeing the Name this SID translates to.


This should also give you the Username associated with that SID:
$objSID = New-Object System.Security.Principal.SecurityIdentifier `
("ENTER-SID-HERE")
$objUser = $objSID.Translate( [System.Security.Principal.NTAccount])
$objUser.Value 

Open in new window


If you do a get-acl on any file you will see it doe not populate a SID but rather a username e.g:
Domain\User - this is the format you have to enter the old user in.

I am suspecting here this user object might be an artifact and you no longer have this user in your system ?
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:Angeal
ID: 39854091
You are correct - the user is no longer in the sytem/domain... after running your script to find  the user associated with the SID the following is returned:

Exception calling "Translate" with "1" argument(s): "Some or all identity references could not be translated."

See screenshot.Owner info on one of the files
0
 
LVL 29

Accepted Solution

by:
becraig earned 500 total points
ID: 39854105
hmm give this a test.

$objUser = New-Object System.Security.Principal.NTAccount("IT", "MrSmith"); 
gci "G:\ServerFolders\Public\" -recurse | % {
$fileacl = Get-Acl $_.FullName 
if ($fileacl.owner -like "*S-1-5-21-1472472331-4045499139-997351866-1104*")
{
write-host "starting to process..." -fore yellow
$file = gi $_.FullName
$acl=$file.GetAccessControl()
$acl.SetOwner($objUser)
$file.SetAccessControl($acl)
}
}

Open in new window

0
 

Author Comment

by:Angeal
ID: 39854116
That did it! Thank you very much becraig! You saved me a lot of time.
0
 

Author Closing Comment

by:Angeal
ID: 39854118
Great work, thanks a lot becraig!
0
 

Expert Comment

by:Danny Verrazano
ID: 41672013
Is it possible to modify this to find a specific Active Directory user as owner and if that user is owner, transfer Owner to the server local administrators group?
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Microsoft Windows Server Update Service (WSUS) is free for everyone, but it lacks of some desirable features like send an e-mail to the administrator with the status of all computers on the WSUS server. This article is based on my PowerShell script …
Synchronize a new Active Directory domain with an existing Office 365 tenant
In this video I am going to show you how to back up and restore Office 365 mailboxes using CodeTwo Backup for Office 365. Learn more about the tool used in this video here: http://www.codetwo.com/backup-for-office-365/ (http://www.codetwo.com/ba…
Many functions in Excel can make decisions. The most simple of these is the IF function: it returns a value depending on whether a condition you describe is true or false. Once you get the hang of using the IF function, you will find it easier to us…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now