Solved

Powershell: Change NTFS file owner from A to B

Posted on 2014-02-11
10
747 Views
Last Modified: 2016-06-24
Hi Experts,

Does someone have a script that will search recursively for files that are owned by user1 and if a file is found; change the owner to user2?

I found 1000s of files that are owned by a user who no longer exists in the domain (The owner samaccount name is a "SID").

Thanks,

A.
0
Comment
Question by:Angeal
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
10 Comments
 
LVL 29

Expert Comment

by:becraig
ID: 39851726
This should work:
$objUser = New-Object System.Security.Principal.NTAccount("Domain", "NEW-user"); 
gci c:\path -recurse | % {
$fileacl = Get-Acl $_.FullName 
if ($fileacl.owner -eq "domain\olduser")
{
write-host "starting to process..." -fore yellow
$file = gi $_.FullName
$acl=$file.GetAccessControl()
$acl.SetOwner($objUser)
$file.SetAccessControl($acl)
}
}

Open in new window

0
 

Author Comment

by:Angeal
ID: 39853730
Hi becraig,

Thanks for your help. Unfortunately, the script didn't work. I'm running PS as an admin, and when the script is run ,there are no errors, and the "starting to process...." isn't showing up in yellow.

I assume because it's not finding the owner of the file, which is "S-1-5-21-1472472331-4045499139-997351866-1104". I tried changing line 4 to:

if ($fileacl.owner -eq "olduser")

with the same result.

Any ideas?

Thanks,

A.
0
 
LVL 29

Expert Comment

by:becraig
ID: 39853741
if ($fileacl.owner -eq "olduser")  should be in the format domain\user
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 

Author Comment

by:Angeal
ID: 39854026
It doesn't work:

$objUser = New-Object System.Security.Principal.NTAccount("IT", "MrSmith"); 
gci "G:\ServerFolders\Public\" -recurse | % {
$fileacl = Get-Acl $_.FullName 
if ($fileacl.owner -eq "IT\S-1-5-21-1472472331-4045499139-997351866-1104")
{
write-host "starting to process..." -fore yellow
$file = gi $_.FullName
$acl=$file.GetAccessControl()
$acl.SetOwner($objUser)
$file.SetAccessControl($acl)
}
}

Open in new window

0
 
LVL 29

Expert Comment

by:becraig
ID: 39854044
S-1-5-21-1472472331-4045499139-997351866-1104 is not a username it is a sid

You can probably find the username the SID translates to by doing a quick "wmic useraccount"  and seeing the Name this SID translates to.


This should also give you the Username associated with that SID:
$objSID = New-Object System.Security.Principal.SecurityIdentifier `
("ENTER-SID-HERE")
$objUser = $objSID.Translate( [System.Security.Principal.NTAccount])
$objUser.Value 

Open in new window


If you do a get-acl on any file you will see it doe not populate a SID but rather a username e.g:
Domain\User - this is the format you have to enter the old user in.

I am suspecting here this user object might be an artifact and you no longer have this user in your system ?
0
 

Author Comment

by:Angeal
ID: 39854091
You are correct - the user is no longer in the sytem/domain... after running your script to find  the user associated with the SID the following is returned:

Exception calling "Translate" with "1" argument(s): "Some or all identity references could not be translated."

See screenshot.Owner info on one of the files
0
 
LVL 29

Accepted Solution

by:
becraig earned 500 total points
ID: 39854105
hmm give this a test.

$objUser = New-Object System.Security.Principal.NTAccount("IT", "MrSmith"); 
gci "G:\ServerFolders\Public\" -recurse | % {
$fileacl = Get-Acl $_.FullName 
if ($fileacl.owner -like "*S-1-5-21-1472472331-4045499139-997351866-1104*")
{
write-host "starting to process..." -fore yellow
$file = gi $_.FullName
$acl=$file.GetAccessControl()
$acl.SetOwner($objUser)
$file.SetAccessControl($acl)
}
}

Open in new window

0
 

Author Comment

by:Angeal
ID: 39854116
That did it! Thank you very much becraig! You saved me a lot of time.
0
 

Author Closing Comment

by:Angeal
ID: 39854118
Great work, thanks a lot becraig!
0
 

Expert Comment

by:Danny Verrazano
ID: 41672013
Is it possible to modify this to find a specific Active Directory user as owner and if that user is owner, transfer Owner to the server local administrators group?
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Utilizing an array to gracefully append to a list of EmailAddresses
"Migrate" an SMTP relay receive connector to a new server using info from an old server.
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question