• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 612
  • Last Modified:

How to grant full control to a directory tree?

On Windows Server 2012, I am trying to grant myself "full control" on a directory tree.  Using "command prompt" and "running as administrator", I executed

icacls <filePath> /grant:r <domainName>\<userName>:(OI)(CI)F /inheritance:e

Here is a synopsis of the command arguments:

   /grant:r        grant, replacing previous permissions
   (OI)            object inherit
   (CI)            container inherit
   F               full control
   /inheritance:e  enables inheritance

This command runs, but does not grant me full control of the entire directory tree.  While running as domainName\userName, I still get "Permission denied" errors.  Apparently, I am not doing something quite right.
  • 3
  • 2
  • 2
5 Solutions
Mitchell MilliganInformation Technology Network AdministratorCommented:
You may have to force ownership of the folder before you can edit those permissions on it.  Try this to take ownership first, then try that command:

To Take Ownership of a Folder or Drive using TAKEOWN Command
NOTE: This command will take ownership of the folder or drive, and all files and subfolders in the folder or drive.

A) In the elevated command prompt, type the command you want below, press Enter, and go to step 5 below.
NOTE: Substitute full path of folder or drive with the full path of the folder or drive letter that you want to take ownership of within quotes.

(To grant currently logged on user ownership of)

takeown /F "full path of folder or drive" /R /D Y

(To grant administrators group ownership of)

takeown /F "full path of folder or drive" /A /R /D Y

For example:

takeown /F "F:" /A /R /D Y

takeown /F "F:\Folder" /A /R /D Y

Source: http://www.eightforums.com/tutorials/2808-take-ownership-file-folder-drive-registry-key-windows-8-a.html

This should work the same for Server 2012 since it works for Windows 8.  Continue to run the cmd as administrator, and this should help you out!

Additionally, you may have to force the permissions to cascade through the directory, this is a known bug on S2012 sometimes.  To do this, you can follow these instructions at technet: http://social.technet.microsoft.com/Forums/windowsserver/en-US/8d17c211-264c-4570-ad33-8643dd66e4d1/cant-take-ownership-of-files-with-take-own-get-access-diened?forum=winserverfiles
Lee W, MVPTechnology and Business Process AdvisorCommented:
First of all, you should NEVER assign permissions to an account.  Think how long it's going to take to change the permissions on everything and what happens if you later want to add another person to have full control?

Create a GROUP, put yourself into that group, and assign full control to the group.  Later, if you want to add or remove people from access, it's as simple (AND FAST) as adding or removing them to the group.

Second, as stated above, take ownership of everything.  Then you can change permissions.
Mitchell MilliganInformation Technology Network AdministratorCommented:
Lee is correct, you should create a group first, then assign that group.  That slipped my mind, but thanks for the input Lee.
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

CFS_developerAuthor Commented:
If I create a group, how do I recursively assign ownership to that group?  The takeown command only assigns to the user running the program or to the administrators group.
Lee W, MVPTechnology and Business Process AdvisorCommented:
Take ownership for you and then assign the group.  There's always going to be a first, so to speak, when you need to change something, but by using a group you won't waste your time EVERY time in the future.
CFS_developerAuthor Commented:
The Windows commands to recursively adjust file permissions failed on some of the files and folders.  My solution was to utilize Cygwin's unix-type utilities in conjunction with Windows commands:

chmod -R ugo+rwx fileName
takeown /F fileName /R
icacls fileName /grant:r domain\user:(OI)(CI)F /inheritance:e
chmod -R o-rwx fileName

Most likely, some of the above commands are superfluous, but the overall flow worked.  Good enough.  

Cygwin is available from  http://www.cygwin.com/

Now that I have personal ownership and access for the directory tree, I can concern myself with group assignment.

Thanks everybody for your help.
CFS_developerAuthor Commented:
My comment does indeed provide part of the solution.

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 3
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now