Link to home
Start Free TrialLog in
Avatar of Danny Verrazano
Danny Verrazano

asked on

Change owner from userA to server Local Administrators

OS:  Server 2012 R2

In need of a script similar to this :  https://www.experts-exchange.com/questions/28362250/Powershell-Change-NTFS-file-owner-from-A-to-B.html

Which will find all files and folders (under a single share) that has owner of UserA (Active Directory user) and transfers owner to Local Administrators group of the server the share is located on (Server Local Administrators group as opposed to Active Directory Builtin Administrators)

Any help would be greatly appreciated

Danny
Avatar of oBdA
oBdA

Try this (as usual with a test items first):
$OldOwner = "Domain\UserA"
$NewOwner = "Administrators"
$Folder = "C:\Temp\ACLTest"
$LogFile = "C:\Temp\Owner.csv"

$NewOwnerNT = New-Object System.Security.Principal.NTAccount($NewOwner)
Try {
	"Setting new owner '$($NewOwner)', $($NewOwnerNT.Translate([System.Security.Principal.SecurityIdentifier]))" | Write-Host -ForegroundColor White
} Catch {
	Throw "Account not found: $($NewOwner)"
}
Get-ChildItem -Path $Folder -recurse |
	ForEach-Object {
		"Processing $($_.FullName) ... " | Write-Host -Fore White -NoNewline
		$Result = $_.FullName | Select-Object -Property @{Name='Path'; Expression={$_}}, Action, Owner, Exception
		Try {
			$FileACL = Get-Acl -Path $_.FullName
			$Result.Owner = $FileACL.Owner
			If ($FileACL.Owner -eq $OldOwner) {
				$Acl = $_.GetAccessControl()
				$Acl.SetOwner($NewOwnerNT)
				$_.SetAccessControl($Acl)
				"OK" | Write-Host -Fore Green
				$Result.Owner = $NewOwnerNT.Value
				$Result.Action = 'Changed'
			} Else {
				"skipped (owner is $($FileACL.Owner))" | Write-Host -Fore Gray
				$Result.Action = 'Skipped'
			}
		} Catch {
			"failed: $($_.Exception.Message)" | Write-Host -Fore Red
			$Result.Action = 'Error'
			$Result.Exception = $_.Exception.Message
		}
		$Result
	} | Export-Csv -Path $LogFile -NoTypeInformation

Open in new window

Avatar of Danny Verrazano

ASKER

ok so thank you so much!!  This is an awesome script!  

I am currently testing it...

It works GREAT and thank you for all of the error trapping.  

However, I do not need to log all of the success.  So anything changed doesn't need to be dumped to csv file.  

Yes I would like anything that failed or was skipped to be logged.

What I see also in the csv file is that sometimes the action is blank and the owner reports as the OldOwner.  When I check the actual files or folders involved it shows the script changed Owner to local Administrators (perfect) so I do not need to log those things (blank action and owner is OldOwner as domain\user).

I assume I can comment out some portions of the error catching??
$OldOwner = "Domain\UserA"
$NewOwner = "Administrators"
$Folder = "C:\Temp\ACLTest"
$LogFile = "C:\Temp\Owner.csv"

$NewOwnerNT = New-Object System.Security.Principal.NTAccount($NewOwner)
Try {
	"Setting new owner '$($NewOwner)', $($NewOwnerNT.Translate([System.Security.Principal.SecurityIdentifier]))" | Write-Host -ForegroundColor White
} Catch {
	Throw "Account not found: $($NewOwner)"
}
Get-ChildItem -Path $Folder -recurse |
	ForEach-Object {
		"Processing $($_.FullName) ... " | Write-Host -Fore White -NoNewline
		$Result = $_.FullName | Select-Object -Property @{Name='Path'; Expression={$_}}, Action, Owner, Exception
		Try {
			$FileACL = Get-Acl -Path $_.FullName -ErrorAction Stop
			$Result.Owner = $FileACL.Owner
			If ($FileACL.Owner -eq $OldOwner) {
				$Acl = $_.GetAccessControl()
				$Acl.SetOwner($NewOwnerNT)
				$_.SetAccessControl($Acl)
				"OK" | Write-Host -Fore Green
				$Result.Owner = $NewOwnerNT.Value
				$Result.Action = 'Changed'
			} Else {
				"skipped (owner is $($FileACL.Owner))" | Write-Host -Fore Gray
				$Result.Action = 'Skipped'
			}
		} Catch {
			"failed: $($_.Exception.Message)" | Write-Host -Fore Red
			$Result.Action = 'Error'
			$Result.Exception = $_.Exception.Message
			$Result
		}
	} | Export-Csv -Path $LogFile -NoTypeInformation

Open in new window

Sorry for any misunderstanding.  

What you provided turns off ALL logging.  

I need to log only the errors, failures or skipped items.  

I have a LARGE file share to run this on so if I log all of the successful items that were changed it would be too much data.  

That is why I only want to log whatever was skipped or failed for some reason.

Thank you
ASKER CERTIFIED SOLUTION
Avatar of oBdA
oBdA

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Works PERFECT!  Thanks again!  I am new and learning.  Your scripting is helping me a lot more than just getting the task done.  

I would like to invite you to take a look at my other question regarding Server local groups and Active Directory nested users/groups.  Located here:
https://www.experts-exchange.com/questions/28954302/Powershell-script-to-add-AD-groups-to-server-local-groups.html

Thanks again!
TOP NOTCH powershell scripting!  GREAT solution!  

Thank you!