Changing File System Permissions and Ownership in Powershell
I'd like to change NTFS file system permissions and ownership using Powershell, bothat the command line and from a Powershell script.
I come from the Unix world, where it's pretty straightforward: Tochange ownership, you use the 'chown' command, and to changepermissions, youuse either 'chmod' or 'setfacl'.
How would I do the same thing in Powershell? I'd like to be able todo this locally (on a Windows Server 2003 box), and hopefully remotely(from a Windows XP client, say).
Googling around, I see many different discussions threads, withconflicting information about how you might do it (try this script Iwrote, download this utility, etc.), or whether it's even possible tochange the owner to a non-Administrative user account using anythingother than the security tab in the GUI. I'm surprised such a basicoperation is such a fertile topic for discussion and debate.
I did see the "How Can I Take Ownership of a File or Folder By Using a Script?" entry in the Scripting Guys archive, describing how to use VBscript to take ownship of a file, but what I want to do is, as the Administrator, say, change the ownership of a file to another user, say "joeplumber".
In Unix, I can do something like, "chown joeplumber notes.txt" and "chmod u+w notes.txt". Is there something similarl in the Windows world that doesn't require downloading a utility that doesn't ship with the OS?Powershell is pretty cool, and I'm hoping I can use it to accomplishmy task.
Thanks in advance!
-David
-
Edited by
deisner
Friday, October 17, 2008 3:35 PM
October 17th, 2008 6:32pm
First, I suggest you post this same query on the Powershell forum where the Powershell experts are usually lurking. =)
I am a Powershell newbie myself but I guess a combination of get-acl and set-acl should be a good place to start.
On a sidenote, you can use TAKEOWN to take ownership of files/folders (or give ownership to the administrators [using the /A switch]). ICACLS (or xcacls, cacls) should suffice as far as modifying NTFS permissions are concerned. These tools should be available natively with your OS.
Regards,
Salvador Manaois III
MCSE MCSA CEH MCITP | Enterprise/Server Admin
Bytes & Badz : http://badzmanaois.blogspot.com
October 18th, 2008 4:17am
I'll take your advice and post this on the Powershell forum. Thanks.
I don't think TAKEOWN does quite what I want. As Administrator, I want to change the owner of a file to an arbitrary user, not the user under which the command is being run. If I use the /U switch, I'm told I must use the /S switch as well, to specify the system to which I should connect. But I can't use it if I'm running the command locally. Furthermore, it looks like I would need to know the password of the user in question.
Set-acl looks good for wholesale replacement of the ACL, but I would probably need to write code to parse and modify the Sddl string if I wanted to make modifications. However, it looks like xcacls will do what I want, so I'll just call that from my script.
Thanks for your help.
-David
-
Marked as answer by
IamMredMicrosoft employee, Owner
Wednesday, January 06, 2010 7:17 PM
October 20th, 2008 6:10pm
I'll take your advice and post this on the Powershell forum. Thanks.
I don't think TAKEOWN does quite what I want. As Administrator, I want to change the owner of a file to an arbitrary user, not the user under which the command is being run. If I use the /U switch, I'm told I must use the /S switch as well,
to specify the system to which I should connect. But I can't use it if I'm running the command locally. Furthermore, it looks like I would need to know the password of the user in question.
Set-acl looks good for wholesale replacement of the ACL, but I would probably need to write code to parse and modify the Sddl string if I wanted to make modifications. However, it looks like xcacls will do what I want, so I'll just call that from
my script.
Thanks for your help.
-David
Hi,
I have same problem here, and exactly i'm looking for what you looked, so do you find any think can help in PowerShell helping give the ownershop to another users??
Thanks
November 16th, 2011 3:03pm
I'd like to change NTFS file system permissions and ownership using Powershell, both at the command line and from a Powershell script.
I come from the Unix world, where it's pretty straightforward: To change ownership, you use the 'chown' command, and to change permissions, you use either 'chmod' or 'setfacl'.
How would I do the same thing in Powershell? I'd like to be able to do this locally (on a Windows Server 2003 box), and hopefully remotely (from a Windows XP client, say).
Googling around, I see many different discussions threads, with conflicting information about how you might do it (try this script I wrote, download this utility, etc.), or whether it's even possible to change
the owner to a non-Administrative user account using anything other than the security tab in the GUI. I'm surprised such a basic operation is such a fertile topic for discussion and debate.
I did see the "How Can I Take Ownership of a File or Folder By Using a Script?" entry in the Scripting Guys archive, describing how to use VBscript to take ownship of a file, but what I want to do is, as the Administrator,
say, change the ownership of a file to another user, say "joeplumber".
In Unix, I can do something like, "chown joeplumber notes.txt" and "chmod u+w notes.txt". Is there something similarl in the Windows world that doesn't require downloading a utility that doesn't ship with the OS?
Powershell is pretty cool, and I'm hoping I can use it to accomplish my task.
Thanks in advance!
-David
In Windows you can only take Ownership if you alrady have full control of an object.
To change the owner yu need to set the object Trustee account on the object. TO do this you also need to have a special priviliege - Teh SeTakeOwnerShip token is needed. Normally only Administrators have this privilege.
The easist way to set the owner is with SubInAcl:
subinacl /file test.xml /setowner=domain\newowner
This will work from CMD as well as PowerShell.
November 16th, 2011 4:04pm
I'll take your advice and post this on the Powershell forum. Thanks.
I don't think TAKEOWN does quite what I want. As Administrator, I want to change the owner of a file to an arbitrary user, not the user under which the command is being run. If I use the /U switch, I'm told I must use the /S switch as well,
to specify the system to which I should connect. But I can't use it if I'm running the command locally. Furthermore, it looks like I would need to know the password of the user in question.
Set-acl looks good for wholesale replacement of the ACL, but I would probably need to write code to parse and modify the Sddl string if I wanted to make modifications. However, it looks like xcacls will do what I want, so I'll just call that from
my script.
Thanks for your help.
-David
You are being way to complicated. Use SubInACl. It does not require any other items except that you are running as administrator.
November 16th, 2011 4:06pm
Here is the POwerSHell method using Net classes:
$acct = New-Object System.Security.Principal.NTAccount('domain\newowner')
$file=Get-Item test.txt
$acl=$file.GetAccessControl()
$acl.SetOwner($acct)
$file.SetAccessControl($acl)
November 16th, 2011 4:13pm
Hi,
When i use perviouse mentioned command of Subinacl in the same above syntax, the result is as follow:
"SeSecurityPrivilege : Access is denied.
WARNING :Unable to set SeSecurityPrivilege privilege. This privilege may be requ
ired.
D:\take.bat - CreateFile Error : 1314 A required privilege is not held by the cl
ient."
Inspite i'm an administrator on the Domain and my own PC.
I tried it localy with same result.
Thanks
November 17th, 2011 2:24pm
Hi,
When i use perviouse mentioned command of Subinacl in the same above syntax, the result is as follow:
"SeSecurityPrivilege : Access is denied.
WARNING :Unable to set SeSecurityPrivilege privilege. This privilege may be requ
ired.
D:\take.bat - CreateFile Error : 1314 A required privilege is not held by the cl
ient."
Inspite i'm an administrator on the Domain and my own PC.
I tried it localy with same result.
Thanks
You need to run elevated. Start the batch from an elevated prompt.
November 17th, 2011 4:40pm
What do you mean by elevated prompt ?
I run the command at the Dos under windows.
November 17th, 2011 4:58pm
What do you mean by elevated prompt ?
I run the command at the Dos under windows.
On Vista and later you need to use "Run as Administrator" to launch the prompt.
November 17th, 2011 5:10pm
You are genuis,
It workes perfectly. but can you explain what the difference between logged in with administrator privilage and use "Run as administrator" ??
Thanks cheif
November 17th, 2011 7:42pm
cd $Env:USERPROFILE
cd Documents
$acct = New-Object System.Security.Principal.NTAccount('mydom\myaccount')
$file=Get-Item .\temp
$acl=$file.GetAccessControl()
write-host "old owner: " $acl.Owner
$acl.SetOwner($acct)
$file.SetAccessControl($acl)
write-host "New owner: " $acl.Owner
write-host "done"
OK, I'm running this as administrator and it seems to be printing the old and new owner correctly until I try to verify it with windows explorer and right click on the file and then click on security. Is my new account is not in the usernames/groups but
the old account is.
What am I doing wrong?
February 8th, 2012 1:46am
Hi,
You are posting to a thread that was closed more than two years ago. Please start a new question.
Bill
February 8th, 2012 1:58am
Holy crap 7 years this thread has been here and there still isn't a decent answer. Get your crap together Windows Programmers.
Shouldn't be any more complicated than this. Get to work on it.
takeown admin-domain\admin /R .\*
ERROR: Invalid argument/option - 'admin-PC\admin'.
Type "TAKEOWN /?" for usage.
PS L:\> takeown /U admin-PC\admin /R .\*
ERROR: Invalid argument/option - '.\*'.
Type "TAKEOWN /?" for usage.
PS L:\> takeown /U admin-PC\admin /R *
ERROR: Invalid argument/option - '*'.
Type "TAKEOWN /?" for usage.
PS L:\> takeown /U admin-PC\admin /R
ERROR: Invalid syntax.
Type "TAKEOWN /?" for usage.
right click.
-
Edited by
oasisfleeting
Friday, February 06, 2015 6:42 PM
accidentally put too few years.
February 6th, 2015 9:40pm
You are posting to a very old thread. If you need help, please start a new question and tell exactly what you would like to accomplish.
February 6th, 2015 9:56pm