Solved

Powershell: Change NTFS file owner from A to B

Posted on 2014-02-11
10
740 Views
Last Modified: 2016-06-24
Hi Experts,

Does someone have a script that will search recursively for files that are owned by user1 and if a file is found; change the owner to user2?

I found 1000s of files that are owned by a user who no longer exists in the domain (The owner samaccount name is a "SID").

Thanks,

A.
0
Comment
Question by:Angeal
  • 5
  • 4
10 Comments
 
LVL 29

Expert Comment

by:becraig
ID: 39851726
This should work:
$objUser = New-Object System.Security.Principal.NTAccount("Domain", "NEW-user"); 
gci c:\path -recurse | % {
$fileacl = Get-Acl $_.FullName 
if ($fileacl.owner -eq "domain\olduser")
{
write-host "starting to process..." -fore yellow
$file = gi $_.FullName
$acl=$file.GetAccessControl()
$acl.SetOwner($objUser)
$file.SetAccessControl($acl)
}
}

Open in new window

0
 

Author Comment

by:Angeal
ID: 39853730
Hi becraig,

Thanks for your help. Unfortunately, the script didn't work. I'm running PS as an admin, and when the script is run ,there are no errors, and the "starting to process...." isn't showing up in yellow.

I assume because it's not finding the owner of the file, which is "S-1-5-21-1472472331-4045499139-997351866-1104". I tried changing line 4 to:

if ($fileacl.owner -eq "olduser")

with the same result.

Any ideas?

Thanks,

A.
0
 
LVL 29

Expert Comment

by:becraig
ID: 39853741
if ($fileacl.owner -eq "olduser")  should be in the format domain\user
0
Edgartown IT Case Study

Learn about Edgartown's quest to ensure the safety and security of the entire town's employee and citizen data. Read the case study!

 

Author Comment

by:Angeal
ID: 39854026
It doesn't work:

$objUser = New-Object System.Security.Principal.NTAccount("IT", "MrSmith"); 
gci "G:\ServerFolders\Public\" -recurse | % {
$fileacl = Get-Acl $_.FullName 
if ($fileacl.owner -eq "IT\S-1-5-21-1472472331-4045499139-997351866-1104")
{
write-host "starting to process..." -fore yellow
$file = gi $_.FullName
$acl=$file.GetAccessControl()
$acl.SetOwner($objUser)
$file.SetAccessControl($acl)
}
}

Open in new window

0
 
LVL 29

Expert Comment

by:becraig
ID: 39854044
S-1-5-21-1472472331-4045499139-997351866-1104 is not a username it is a sid

You can probably find the username the SID translates to by doing a quick "wmic useraccount"  and seeing the Name this SID translates to.


This should also give you the Username associated with that SID:
$objSID = New-Object System.Security.Principal.SecurityIdentifier `
("ENTER-SID-HERE")
$objUser = $objSID.Translate( [System.Security.Principal.NTAccount])
$objUser.Value 

Open in new window


If you do a get-acl on any file you will see it doe not populate a SID but rather a username e.g:
Domain\User - this is the format you have to enter the old user in.

I am suspecting here this user object might be an artifact and you no longer have this user in your system ?
0
 

Author Comment

by:Angeal
ID: 39854091
You are correct - the user is no longer in the sytem/domain... after running your script to find  the user associated with the SID the following is returned:

Exception calling "Translate" with "1" argument(s): "Some or all identity references could not be translated."

See screenshot.Owner info on one of the files
0
 
LVL 29

Accepted Solution

by:
becraig earned 500 total points
ID: 39854105
hmm give this a test.

$objUser = New-Object System.Security.Principal.NTAccount("IT", "MrSmith"); 
gci "G:\ServerFolders\Public\" -recurse | % {
$fileacl = Get-Acl $_.FullName 
if ($fileacl.owner -like "*S-1-5-21-1472472331-4045499139-997351866-1104*")
{
write-host "starting to process..." -fore yellow
$file = gi $_.FullName
$acl=$file.GetAccessControl()
$acl.SetOwner($objUser)
$file.SetAccessControl($acl)
}
}

Open in new window

0
 

Author Comment

by:Angeal
ID: 39854116
That did it! Thank you very much becraig! You saved me a lot of time.
0
 

Author Closing Comment

by:Angeal
ID: 39854118
Great work, thanks a lot becraig!
0
 

Expert Comment

by:Danny Verrazano
ID: 41672013
Is it possible to modify this to find a specific Active Directory user as owner and if that user is owner, transfer Owner to the server local administrators group?
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Doing AD cleanup with Powershell 9 54
need assistance with a VBscript 3 32
PowerShell and cisco ios 3 40
query all mailbox rules 5 22
This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
Previously, on our Nano Server Deployment series, we've created a new nano server image and deployed it on a physical server in part 2. Now we will go through configuration.
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question