Script to change owner on multiple files - and back!

[ChrisD.]

I need to change the owner on a list of directories which are listed in a file. The file looks like:

\\server\user1\folder
\\server\user2\folder
\\server\user3\folder

And so on. For each of these directories, I need to recursively set the owner, then run a script against it which I have ready to add permissions for a user, then I need to set the owner back to what it was.

Any way of doing this? I'm not very experienced with powershell!

 

[Nanobot]

I used to use cacls.exe a few years ago to edit/correct permissions on folders. Not sure about the ownership side of things.
Apparently a quick search seems to indicate icacls has replaced cacls command and offers /save and /restore options. Hope that points you in the right direction! Use with caution though as I remember a colleague running it without the /e edit and caused a few headaches!

 

[ChrisD.]

Yeah I used icacls to change the permissions, using the for command.

for /f "tokens=*" %A in (list.txt) do icacls %A /grant user:F

Where list.txt contented the list of directories I wanted to change. Obviously substitute whatever perms and inheritance is appropriate. Problem is, a lot of the folders had the user as owner, and admin as deny, hence the command wouldn't work. And I can't get the takeown.exe to work with the for command.

This ps1 script should also work:

Script to give user specified in the $User variable Read and Execute rights to the folders
#specified in a file as specified in the $file variable.
#

$User = "username@domain"
$File = "E:\Folder\Filename.txt"
$Permissions = "ReadAndExecute"

#Set up the arguements for the FileSystemAccessRule
#Set up the new Access rule using the FileSystemAccessRule module


$Args = $User,$Permissions, "ContainerInherit, ObjectInherit","None","Allow"


$AccessRule = New-Object system.security.accesscontrol.filesystemaccessrule $Args

#Read the contents of the file ($file) into an Array using Get-content 
#the @( ) around the command forces the result into array, 
#else we need different routines for handling it.

$Folders = @(Get-Content $File)

#Process each line of the file as follows:
#
#	1. Check the array contains at least one element
#	2. Check line contains data
#	3. Check folder exists
#	4. Use Get-Acl to determine current AcLs
#	5. Use the method AddAccessRule to add the new rule
#	6. Apply the new ACLs to the Folder	

If ($Folders.Count -gt 0)
{
	ForEach ($Dir in $Folders)
	{
		If ($Dir.Length -gt 0)
		{

			If (Test-path $dir) 
			{
				Write-Host "Processing: " $Dir -nonewline
				$acl = get-Acl -path $Dir
				$acl.AddAccessRule ($AccessRule)
				$acl | Set-Acl -path $Dir
				Write-host " Processed"

			}
			Else
			{
				Write-Host "Folder: " $Dir " does not exist"
			}
		}
			
	}

}
Else
{
	Write-host "File: " $File " is empty"
}

Write-host "Script completed"

icacls is easier I think. Just need to work out if I can use PowerShell for the owner side of things.

 

[Liquidfox]

I'm going to hazard a guess that you've got a bunch of users shares which the owner is the user itself. Changing the owner on the folder tends to break things as you know.

Use this script, works wonders on SBS setups and have used it many times myself:
http://mypkb.wordpress.com/2008/12/...ors-access-to-redirected-my-documents-folder/

It'll simply add the user or group you wish to the folders without breaking everything.

 

[ChrisD.]

I'm going to hazard a guess that you've got a bunch of users shares which the owner is the user itself. Changing the owner on the folder tends to break things as you know.

Use this script, works wonders on SBS setups and have used it many times myself:
http://mypkb.wordpress.com/2008/12/...ors-access-to-redirected-my-documents-folder/

It'll simply add the user or group you wish to the folders without breaking everything.

Yes that's exactly the issue. The user is the owner, so admin can't change permissions. We need an account to have read and execute on huge list of directories.

I'll take a look at the link, thanks.