Reputation: 14705

PowerShell Change owner of files and folders

Searching the web, I found 2 scripts that are able to change the owner of files and folders. When testing this, it functions perfectly in PowerShell 1.0. Now I'm trying to combine both so they work recursively, because we have folders with over 500 sub directories and files in them. And it's a tremendous job to do..

We want to:

Run one script on \\server\C$\Folder (without using external tools)
to change the owner of all files and subfolders to BUILTIN\Administrators

The problem:

Each script only works for 1 file or 1 folder. How can this be combined in one script so it does all the subfoldes and files all together? Putting it in 2 different functions maybe and loop through it or..

Script1 : Change FILE owner to Admin

$File = "\\server\c$\Users\dir\Downloads\Target\TargetFile.txt"
$Account = New-Object System.Security.Principal.NTAccount("BUILTIN\Administrators")
$FileSecurity = new-object System.Security.AccessControl.FileSecurity
$FileSecurity.SetOwner($Account)
[System.IO.File]::SetAccessControl($File, $FileSecurity)

Script2 : Change FOLDER owner to Admin

$AdjustTokenPrivileges = @"
using System;
using System.Runtime.InteropServices;

 public class TokenManipulator
 {
  [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
  internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall,
  ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen);
  [DllImport("kernel32.dll", ExactSpelling = true)]
  internal static extern IntPtr GetCurrentProcess();
  [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
  internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr
  phtok);
  [DllImport("advapi32.dll", SetLastError = true)]
  internal static extern bool LookupPrivilegeValue(string host, string name,
  ref long pluid);
  [StructLayout(LayoutKind.Sequential, Pack = 1)]
  internal struct TokPriv1Luid
  {
   public int Count;
   public long Luid;
   public int Attr;
  }
  internal const int SE_PRIVILEGE_DISABLED = 0x00000000;
  internal const int SE_PRIVILEGE_ENABLED = 0x00000002;
  internal const int TOKEN_QUERY = 0x00000008;
  internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;
  public static bool AddPrivilege(string privilege)
  {
   try
   {
    bool retVal;
    TokPriv1Luid tp;
    IntPtr hproc = GetCurrentProcess();
    IntPtr htok = IntPtr.Zero;
    retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);
    tp.Count = 1;
    tp.Luid = 0;
    tp.Attr = SE_PRIVILEGE_ENABLED;
    retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);
    retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);
    return retVal;
   }
   catch (Exception ex)
   {
    throw ex;
   }
  }
  public static bool RemovePrivilege(string privilege)
  {
   try
   {
    bool retVal;
    TokPriv1Luid tp;
    IntPtr hproc = GetCurrentProcess();
    IntPtr htok = IntPtr.Zero;
    retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);
    tp.Count = 1;
    tp.Luid = 0;
    tp.Attr = SE_PRIVILEGE_DISABLED;
    retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);
    retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);
    return retVal;
   }
   catch (Exception ex)
   {
    throw ex;
   }
  }
 }
"@
add-type $AdjustTokenPrivileges
$Folder = Get-Item "C:\Users\dir\Downloads\Target"
[void][TokenManipulator]::AddPrivilege("SeRestorePrivilege") 
[void][TokenManipulator]::AddPrivilege("SeBackupPrivilege") 
[void][TokenManipulator]::AddPrivilege("SeTakeOwnershipPrivilege") 
$NewOwnerACL = New-Object System.Security.AccessControl.DirectorySecurity
$Admin = New-Object System.Security.Principal.NTAccount("BUILTIN\Administrators")
$NewOwnerACL.SetOwner($Admin)
$Folder.SetAccessControl($NewOwnerACL)

Upvotes: 22

Answers (3)

Vylocity

Reputation: 1

Here is the code that I made for modifying the ownership for a mapped shared drive.

 $whitelist = @("[INSERT FolderName]","[INSERT FolderName2}")  #<------------Insert folder names, assume theyr are in the same directory
    $NewOwner = "[INSERT OWNER-NAME]" #<-------------- Insert New Owner Name
    
    Write-Host -ForegroundColor Cyan "`nSet Directory Ownership `n`n"
    Write-Host -ForegroundColor Yellow "NOTICE: This script may require Administrative Privleges.`n"
    
    $printList = $whitelist -join ", "
    Write-Host "`nTargets: $printList" 
    
    $choice = Read-Host "`n`nSet ownership of targets to $NewOwner (Y/N)"
    
    if ($choice -eq "y" -or $choice -eq "Y"){
        foreach($folder in $whitelist){
    
            #PROGRESS BAR & ERROR COUNT VARIABLES PER FOLDER
            $progress = 0
            $percentComplete = 0
            $errorCount = 0
    
            #INITIATE PROGRESS BAR PER FOLDER
            Write-Progress -Activity "Loading $folder" -Status "Progress: $percentComplete%" -PercentComplete $percentComplete
    
    <#MODIFY#>  if(Test-Path -Path \\PARENT-FOLDER\$folder -PathType Container){   #MODIFY THIS ALSO TO MAKE SURE THE PATH IS CORRECT
    
    
    
                $newOwnerIdentity = New-Object System.Security.Principal.NTAccount("$NewOwner")
    
                try{
    <#MODIFY#>  $path = "\\PARENT-FOLDER\$folder"  #MODIFY THIS ALSO TO MAKE SURE THE PATH IS CORRECT
                $parentACL = Get-Acl -Path $path
                $parentACL.SetOwner($newOwnerIdentity)
                Set-Acl -Path $path -AclObject $parentACL
                }
                catch [Exception]{
                        Write-Host "Parent $folder was skipped"
                        $errorCount++
    
                } 
                
    
                $items = Get-ChildItem -Path $path -Recurse -ErrorAction SilentlyContinue
                $itemCount = $items.Count
    
                
                Write-Host "# of $folder Items: $itemCount"
                Write-Host -NoNewLine "Setting $folder Ownership to -> $NewOwner.`n"
    
               
    
                #START RECURSIVE PROCEDURE ON CHILD FILES/FOLDERS
                if($itemCount -gt 0)
                {
                foreach ($item in $items){
                    try{
                        $progress++
                        $percentComplete = ($progress / $itemCount) * 100
                        Write-Progress -Activity "Changing directory ownership of '$folder' to $NewOwner " -Status "Progress: $percentComplete%" -PercentComplete $percentComplete
                        $itemACL = null
                        $itemACL = Get-Acl -Path $item.FullName -ErrorAction SilentlyContinue
                        $itemACL.SetOwner($newOwnerIdentity)
                        Set-Acl -Path $item.FullName -AclObject $itemACL -ErrorAction SilentlyContinue
    
                        }
                    catch [Exception]{
                        $errorCount++
                        #For error tracking
                        #$fileName = $item.FullName
                        #Write-Host -NoNewLine "$fileName caused an error occured:" 
                        #Write-Host -ForegroundColor Yellow " $($_.Exception.Message)"
                    } 
    
                }
                $errorPercent = ($errorCount/$itemCount) *100
                Write-Host "# of files skipped: $errorCount"
                Write-Host "Completed."
              }
              else{
              Write-Host "$folder is empty"
            }
            
        }
        else{
            Write-Host "$folder does not exist, please check spelling." #RESPONSE IF "White-listed" FOLDER DOES NOT EXIST, Likely spelling error.
    }
    
    }
    }
    <#MODIFY#>Set-Location \\QS-FS01\IT\Other\OwnershipScript #Return to Script Directory for convenience
    Write-Host "`nCompleted all Tasks"
    [System.Console]::Read() | Out-Null

Since there were only a few files that needed to be modified inside the folder, I created a white-list string array list containing each folders exact names.

It throws all exceptions and keeps count of any errors that may occur within the folder for you to dissect. You can also un-comment the following lines to get the exact location and error of the file.

        $errorCount++
        #For error tracking
        #$fileName = $item.FullName
        #Write-Host -NoNewLine "$fileName caused an error occured:" 
        #Write-Host -ForegroundColor Yellow "$($_.Exception.Message)"

I pride myself in my UI so I added some color text as well.

Upvotes: 0

DarkLite1

Reputation: 14705

After a week of playing around with PowerShell, I found the answer to my own question:

$Target = "\\domain.net\myFolder"
$TempFolder = 'C:\TempFolder'
$TempFile = 'C:\TempFile'

#region Load super powers
$AdjustTokenPrivileges = @"
using System;
using System.Runtime.InteropServices;

 public class TokenManipulator
 {
  [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
  internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall,
  ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen);
  [DllImport("kernel32.dll", ExactSpelling = true)]
  internal static extern IntPtr GetCurrentProcess();
  [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
  internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr
  phtok);
  [DllImport("advapi32.dll", SetLastError = true)]
  internal static extern bool LookupPrivilegeValue(string host, string name,
  ref long pluid);
  [StructLayout(LayoutKind.Sequential, Pack = 1)]
  internal struct TokPriv1Luid
  {
   public int Count;
   public long Luid;
   public int Attr;
  }
  internal const int SE_PRIVILEGE_DISABLED = 0x00000000;
  internal const int SE_PRIVILEGE_ENABLED = 0x00000002;
  internal const int TOKEN_QUERY = 0x00000008;
  internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;
  public static bool AddPrivilege(string privilege)
  {
   try
   {
    bool retVal;
    TokPriv1Luid tp;
    IntPtr hproc = GetCurrentProcess();
    IntPtr htok = IntPtr.Zero;
    retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);
    tp.Count = 1;
    tp.Luid = 0;
    tp.Attr = SE_PRIVILEGE_ENABLED;
    retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);
    retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);
    return retVal;
   }
   catch (Exception ex)
   {
    throw ex;
   }
  }
  public static bool RemovePrivilege(string privilege)
  {
   try
   {
    bool retVal;
    TokPriv1Luid tp;
    IntPtr hproc = GetCurrentProcess();
    IntPtr htok = IntPtr.Zero;
    retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);
    tp.Count = 1;
    tp.Luid = 0;
    tp.Attr = SE_PRIVILEGE_DISABLED;
    retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);
    retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);
    return retVal;
   }
   catch (Exception ex)
   {
    throw ex;
   }
  }
 }
"@
Add-Type $AdjustTokenPrivileges
[void][TokenManipulator]::AddPrivilege("SeRestorePrivilege") 
[void][TokenManipulator]::AddPrivilege("SeBackupPrivilege") 
[void][TokenManipulator]::AddPrivilege("SeTakeOwnershipPrivilege") 
#endregion

$BuiltinAdmin = New-Object System.Security.Principal.NTAccount("BUILTIN\Administrators")
$BuiltinAdminFullControlAcl = New-Object System.Security.AccessControl.FileSystemAccessRule($BuiltinAdmin,"FullControl","Allow")

#region Create temp folder with Admin owner and full control
$FolderBuiltinAdminOwnerAcl = New-Object System.Security.AccessControl.DirectorySecurity
$FolderBuiltinAdminOwnerAcl.SetOwner($BuiltinAdmin)

Remove-Item $TempFolder -EA Ignore
New-Item -Type Directory -Path $TempFolder

$TempFolderAcl = Get-Acl -Path $TempFolder
$TempFolderAcl.SetAccessRule($BuiltinAdminFullControlAcl)
#endregion

#region Change folder owners to Admin
$Folders = @(Get-ChildItem -Path $Target -Directory -Recurse)

foreach ($Folder in $Folders) {
    $Folder.SetAccessControl($FolderBuiltinAdminOwnerAcl)
    Set-Acl -Path $Folder -AclObject $TempFolderAcl
}
#endregion

#region Create temp file with Admin owner and full control
$FileBuiltinAdminOwnerAcl = New-Object System.Security.AccessControl.FileSecurity
$FileBuiltinAdminOwnerAcl.SetOwner($BuiltinAdmin)

Remove-Item $TempFile -EA Ignore
New-Item -Type File -Path $TempFile

$TempFileAcl = Get-Acl -Path $TempFile
$TempFileAcl.SetAccessRule($BuiltinAdminFullControlAcl)
#endregion

#region Change file owners to Admin
$Files = @(Get-ChildItem -Path $Target -File -Recurse)

foreach ($File in $Files) {
    $File.SetAccessControl($FileBuiltinAdminOwnerAcl)
    Set-Acl -Path $File -AclObject $TempFileAcl
}
#endregion

#region Clean-up
Remove-Item $TempFile, $TempFolder
#endregion

Thank you all again for your help. Hopefully, someone else can benefit from my PowerShell research. The only think left is making it a bit more verbose, but that's for another day. It does what it needs to do, and that in the most harsh conditions where permissions are really messed up.

Upvotes: 10

user189198

Reputation:

You can use the SetOwner() method for folders, just like for files.

# Define the owner account/group
$Account = New-Object -TypeName System.Security.Principal.NTAccount -ArgumentList 'BUILTIN\Administrators';

# Get a list of folders and files
$ItemList = Get-ChildItem -Path c:\test -Recurse;

# Iterate over files/folders
foreach ($Item in $ItemList) {
    $Acl = $null; # Reset the $Acl variable to $null
    $Acl = Get-Acl -Path $Item.FullName; # Get the ACL from the item
    $Acl.SetOwner($Account); # Update the in-memory ACL
    Set-Acl -Path $Item.FullName -AclObject $Acl;  # Set the updated ACL on the target item
}

Upvotes: 28

PowerShell Change owner of files and folders

Answers (3)

Related Questions