Solved

Powershell: Change NTFS file owner from A to B

Posted on 2014-02-11
10
754 Views
Last Modified: 2016-06-24
Hi Experts,

Does someone have a script that will search recursively for files that are owned by user1 and if a file is found; change the owner to user2?

I found 1000s of files that are owned by a user who no longer exists in the domain (The owner samaccount name is a "SID").

Thanks,

A.
0
Comment
Question by:Angeal
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
10 Comments
 
LVL 29

Expert Comment

by:becraig
ID: 39851726
This should work:
$objUser = New-Object System.Security.Principal.NTAccount("Domain", "NEW-user"); 
gci c:\path -recurse | % {
$fileacl = Get-Acl $_.FullName 
if ($fileacl.owner -eq "domain\olduser")
{
write-host "starting to process..." -fore yellow
$file = gi $_.FullName
$acl=$file.GetAccessControl()
$acl.SetOwner($objUser)
$file.SetAccessControl($acl)
}
}

Open in new window

0
 

Author Comment

by:Angeal
ID: 39853730
Hi becraig,

Thanks for your help. Unfortunately, the script didn't work. I'm running PS as an admin, and when the script is run ,there are no errors, and the "starting to process...." isn't showing up in yellow.

I assume because it's not finding the owner of the file, which is "S-1-5-21-1472472331-4045499139-997351866-1104". I tried changing line 4 to:

if ($fileacl.owner -eq "olduser")

with the same result.

Any ideas?

Thanks,

A.
0
 
LVL 29

Expert Comment

by:becraig
ID: 39853741
if ($fileacl.owner -eq "olduser")  should be in the format domain\user
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:Angeal
ID: 39854026
It doesn't work:

$objUser = New-Object System.Security.Principal.NTAccount("IT", "MrSmith"); 
gci "G:\ServerFolders\Public\" -recurse | % {
$fileacl = Get-Acl $_.FullName 
if ($fileacl.owner -eq "IT\S-1-5-21-1472472331-4045499139-997351866-1104")
{
write-host "starting to process..." -fore yellow
$file = gi $_.FullName
$acl=$file.GetAccessControl()
$acl.SetOwner($objUser)
$file.SetAccessControl($acl)
}
}

Open in new window

0
 
LVL 29

Expert Comment

by:becraig
ID: 39854044
S-1-5-21-1472472331-4045499139-997351866-1104 is not a username it is a sid

You can probably find the username the SID translates to by doing a quick "wmic useraccount"  and seeing the Name this SID translates to.


This should also give you the Username associated with that SID:
$objSID = New-Object System.Security.Principal.SecurityIdentifier `
("ENTER-SID-HERE")
$objUser = $objSID.Translate( [System.Security.Principal.NTAccount])
$objUser.Value 

Open in new window


If you do a get-acl on any file you will see it doe not populate a SID but rather a username e.g:
Domain\User - this is the format you have to enter the old user in.

I am suspecting here this user object might be an artifact and you no longer have this user in your system ?
0
 

Author Comment

by:Angeal
ID: 39854091
You are correct - the user is no longer in the sytem/domain... after running your script to find  the user associated with the SID the following is returned:

Exception calling "Translate" with "1" argument(s): "Some or all identity references could not be translated."

See screenshot.Owner info on one of the files
0
 
LVL 29

Accepted Solution

by:
becraig earned 500 total points
ID: 39854105
hmm give this a test.

$objUser = New-Object System.Security.Principal.NTAccount("IT", "MrSmith"); 
gci "G:\ServerFolders\Public\" -recurse | % {
$fileacl = Get-Acl $_.FullName 
if ($fileacl.owner -like "*S-1-5-21-1472472331-4045499139-997351866-1104*")
{
write-host "starting to process..." -fore yellow
$file = gi $_.FullName
$acl=$file.GetAccessControl()
$acl.SetOwner($objUser)
$file.SetAccessControl($acl)
}
}

Open in new window

0
 

Author Comment

by:Angeal
ID: 39854116
That did it! Thank you very much becraig! You saved me a lot of time.
0
 

Author Closing Comment

by:Angeal
ID: 39854118
Great work, thanks a lot becraig!
0
 

Expert Comment

by:Danny Verrazano
ID: 41672013
Is it possible to modify this to find a specific Active Directory user as owner and if that user is owner, transfer Owner to the server local administrators group?
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In previous parts of this Nano Server deployment series, we learned how to create, deploy and configure Nano Server as a Hyper-V host. In this part, we will look for a clustering option. We will create a Hyper-V cluster of 3 Nano Server host nodes w…
In this post we will be converting StringData saved within a text file into a hash table. This can be further used in a PowerShell script for replacing settings that are dynamic in nature from environment to environment.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question