Solved

Powershell: Change NTFS file owner from A to B

Posted on 2014-02-11
10
708 Views
Last Modified: 2016-06-24
Hi Experts,

Does someone have a script that will search recursively for files that are owned by user1 and if a file is found; change the owner to user2?

I found 1000s of files that are owned by a user who no longer exists in the domain (The owner samaccount name is a "SID").

Thanks,

A.
0
Comment
Question by:Angeal
  • 5
  • 4
10 Comments
 
LVL 28

Expert Comment

by:becraig
ID: 39851726
This should work:
$objUser = New-Object System.Security.Principal.NTAccount("Domain", "NEW-user"); 
gci c:\path -recurse | % {
$fileacl = Get-Acl $_.FullName 
if ($fileacl.owner -eq "domain\olduser")
{
write-host "starting to process..." -fore yellow
$file = gi $_.FullName
$acl=$file.GetAccessControl()
$acl.SetOwner($objUser)
$file.SetAccessControl($acl)
}
}

Open in new window

0
 

Author Comment

by:Angeal
ID: 39853730
Hi becraig,

Thanks for your help. Unfortunately, the script didn't work. I'm running PS as an admin, and when the script is run ,there are no errors, and the "starting to process...." isn't showing up in yellow.

I assume because it's not finding the owner of the file, which is "S-1-5-21-1472472331-4045499139-997351866-1104". I tried changing line 4 to:

if ($fileacl.owner -eq "olduser")

with the same result.

Any ideas?

Thanks,

A.
0
 
LVL 28

Expert Comment

by:becraig
ID: 39853741
if ($fileacl.owner -eq "olduser")  should be in the format domain\user
0
 

Author Comment

by:Angeal
ID: 39854026
It doesn't work:

$objUser = New-Object System.Security.Principal.NTAccount("IT", "MrSmith"); 
gci "G:\ServerFolders\Public\" -recurse | % {
$fileacl = Get-Acl $_.FullName 
if ($fileacl.owner -eq "IT\S-1-5-21-1472472331-4045499139-997351866-1104")
{
write-host "starting to process..." -fore yellow
$file = gi $_.FullName
$acl=$file.GetAccessControl()
$acl.SetOwner($objUser)
$file.SetAccessControl($acl)
}
}

Open in new window

0
 
LVL 28

Expert Comment

by:becraig
ID: 39854044
S-1-5-21-1472472331-4045499139-997351866-1104 is not a username it is a sid

You can probably find the username the SID translates to by doing a quick "wmic useraccount"  and seeing the Name this SID translates to.


This should also give you the Username associated with that SID:
$objSID = New-Object System.Security.Principal.SecurityIdentifier `
("ENTER-SID-HERE")
$objUser = $objSID.Translate( [System.Security.Principal.NTAccount])
$objUser.Value 

Open in new window


If you do a get-acl on any file you will see it doe not populate a SID but rather a username e.g:
Domain\User - this is the format you have to enter the old user in.

I am suspecting here this user object might be an artifact and you no longer have this user in your system ?
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:Angeal
ID: 39854091
You are correct - the user is no longer in the sytem/domain... after running your script to find  the user associated with the SID the following is returned:

Exception calling "Translate" with "1" argument(s): "Some or all identity references could not be translated."

See screenshot.Owner info on one of the files
0
 
LVL 28

Accepted Solution

by:
becraig earned 500 total points
ID: 39854105
hmm give this a test.

$objUser = New-Object System.Security.Principal.NTAccount("IT", "MrSmith"); 
gci "G:\ServerFolders\Public\" -recurse | % {
$fileacl = Get-Acl $_.FullName 
if ($fileacl.owner -like "*S-1-5-21-1472472331-4045499139-997351866-1104*")
{
write-host "starting to process..." -fore yellow
$file = gi $_.FullName
$acl=$file.GetAccessControl()
$acl.SetOwner($objUser)
$file.SetAccessControl($acl)
}
}

Open in new window

0
 

Author Comment

by:Angeal
ID: 39854116
That did it! Thank you very much becraig! You saved me a lot of time.
0
 

Author Closing Comment

by:Angeal
ID: 39854118
Great work, thanks a lot becraig!
0
 

Expert Comment

by:Danny Verrazano
ID: 41672013
Is it possible to modify this to find a specific Active Directory user as owner and if that user is owner, transfer Owner to the server local administrators group?
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

This is a PowerShell web interface I use to manage some task as a network administrator. Clicking an action button on the left frame will display a form in the middle frame to input some data in textboxes, process this data in PowerShell and display…
Create and license users in Office 365 in bulk based on a CSV file. A step-by-step guide with PowerShell script examples.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video discusses moving either the default database or any database to a new volume.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now