I'd like to change NTFS file system permissions and ownership using Powershell, bothat the command line and from a Powershell script.
I come from the Unix world, where it's pretty straightforward: Tochange ownership, you use the 'chown' command, and to changepermissions, youuse either 'chmod' or 'setfacl'.
How would I do the same thing in Powershell? I'd like to be able todo this locally (on a Windows Server 2003 box), and hopefully remotely(from a Windows XP client, say).
Googling around, I see many different discussions threads, withconflicting information about how you might do it (try this script Iwrote, download this utility, etc.), or whether it's even possible tochange the owner to a non-Administrative user account using anythingother than the security tab in the GUI. I'm surprised such a basicoperation is such a fertile topic for discussion and debate.
I did see the "How Can I Take Ownership of a File or Folder By Using a Script?" entry in the Scripting Guys archive, describing how to use VBscript to take ownship of a file, but what I want to do is, as the Administrator, say, change the ownership of a file to another user, say "joeplumber".
In Unix, I can do something like, "chown joeplumber notes.txt" and "chmod u+w notes.txt". Is there something similarl in the Windows world that doesn't require downloading a utility that doesn't ship with the OS?

Powershell is pretty cool, and I'm hoping I can use it to accomplishmy task.

Thanks in advance!

-David

• Edited by deisner Friday, October 17, 2008 3:35 PM

First, I suggest you post this same query on the Powershell forum where the Powershell experts are usually lurking. =)

I am a Powershell newbie myself but I guess a combination of get-acl and set-acl should be a good place to start.

On a sidenote, you can use TAKEOWN to take ownership of files/folders (or give ownership to the administrators [using the /A switch]). ICACLS (or xcacls, cacls) should suffice as far as modifying NTFS permissions are concerned. These tools should be available natively with your OS.

Regards,

Salvador Manaois III
MCSE MCSA CEH MCITP | Enterprise/Server Admin
Bytes & Badz : http://badzmanaois.blogspot.com

I'll take your advice and post this on the Powershell forum. Thanks.
I don't think TAKEOWN does quite what I want. As Administrator, I want to change the owner of a file to an arbitrary user, not the user under which the command is being run. If I use the /U switch, I'm told I must use the /S switch as well, to specify the system to which I should connect. But I can't use it if I'm running the command locally. Furthermore, it looks like I would need to know the password of the user in question.
Set-acl looks good for wholesale replacement of the ACL, but I would probably need to write code to parse and modify the Sddl string if I wanted to make modifications. However, it looks like xcacls will do what I want, so I'll just call that from my script.
Thanks for your help.
-David

• Marked as answer by IamMredMicrosoft employee, Owner Wednesday, January 06, 2010 7:17 PM

I'll take your advice and post this on the Powershell forum.  Thanks. I don't think TAKEOWN does quite what I want.  As Administrator, I want to change the owner of a file to an arbitrary user, not the user under which the command is being run.  If I use the /U switch, I'm told I must use the /S switch as well, to specify the system to which I should connect.  But I can't use it if I'm running the command locally.  Furthermore, it looks like I would need to know the password of the user in question. Set-acl looks good for wholesale replacement of the ACL, but I would probably need to write code to parse and modify the Sddl string if I wanted to make modifications.  However, it looks like xcacls will do what I want, so I'll just call that from my script.  Thanks for your help. -David

Hi,

I have same problem here, and exactly i'm looking for what you looked, so do you find any think can help in PowerShell helping give the ownershop to another users??

Thanks

I'd like to change NTFS file system permissions and ownership using Powershell, both at the command line and from a Powershell script.
I come from the Unix world, where it's pretty straightforward: To change ownership, you use the 'chown' command, and to change permissions, you use either 'chmod' or 'setfacl'. 
How would I do the same thing in Powershell?  I'd like to be able to do this locally (on a Windows Server 2003 box), and hopefully remotely (from a Windows XP client, say). 
Googling around, I see many different discussions threads, with conflicting information about how you might do it (try this script I wrote, download this utility, etc.), or whether it's even possible to change the owner to a non-Administrative user account using anything other than the security tab in the GUI. I'm surprised such a basic operation is such a fertile topic for discussion and debate. 
I did see the "How Can I Take Ownership of a File or Folder By Using a Script?" entry in the Scripting Guys archive, describing how to use VBscript to take ownship of a file, but what I want to do is, as the Administrator, say, change the ownership of a file to another user, say "joeplumber". 
In Unix, I can do something like, "chown joeplumber notes.txt" and "chmod u+w notes.txt".  Is there something similarl in the Windows world that doesn't require downloading a utility that doesn't ship with the OS?

Powershell is pretty cool, and I'm hoping I can use it to accomplish my task. 

Thanks in advance! 

-David 

In Windows you can only take Ownership if you alrady have full control of an object.

To change the owner yu need to set the object Trustee account on the object.  TO do this you also need to have a special priviliege - Teh SeTakeOwnerShip token is needed.  Normally only Administrators have this privilege.

The easist way to set the owner is with SubInAcl:

subinacl /file test.xml /setowner=domain\newowner

This will work from CMD as well as PowerShell.

 

 

I'll take your advice and post this on the Powershell forum.  Thanks. I don't think TAKEOWN does quite what I want.  As Administrator, I want to change the owner of a file to an arbitrary user, not the user under which the command is being run.  If I use the /U switch, I'm told I must use the /S switch as well, to specify the system to which I should connect.  But I can't use it if I'm running the command locally.  Furthermore, it looks like I would need to know the password of the user in question. Set-acl looks good for wholesale replacement of the ACL, but I would probably need to write code to parse and modify the Sddl string if I wanted to make modifications.  However, it looks like xcacls will do what I want, so I'll just call that from my script.  Thanks for your help. -David

You are being way to complicated.  Use SubInACl.  It does not require any other items except that you are running as administrator.

 

Here is the POwerSHell method using Net classes:

 

$acct = New-Object System.Security.Principal.NTAccount('domain\newowner')
$file=Get-Item test.txt
$acl=$file.GetAccessControl()
$acl.SetOwner($acct)
$file.SetAccessControl($acl)

 

Hi,

When i use perviouse mentioned command of Subinacl in the same above syntax, the result is as follow:

"SeSecurityPrivilege : Access is denied.

WARNING :Unable to set SeSecurityPrivilege privilege. This privilege may be requ
ired.
D:\take.bat - CreateFile Error : 1314 A required privilege is not held by the cl
ient."

Inspite i'm an administrator on the Domain and my own PC.

I tried it localy with same result.

Thanks

 

Hi,

When i use perviouse mentioned command of Subinacl in the same above syntax, the result is as follow:

"SeSecurityPrivilege : Access is denied.

WARNING :Unable to set SeSecurityPrivilege privilege. This privilege may be requ
ired.
D:\take.bat - CreateFile Error : 1314 A required privilege is not held by the cl
ient."

Inspite i'm an administrator on the Domain and my own PC.

I tried it localy with same result.

Thanks

 

You need to run elevated.  Start the batch from an elevated prompt.

 

What do you mean by elevated prompt ?

I run the command at the Dos under windows.

What do you mean by elevated prompt ?

I run the command at the Dos under windows.

On Vista and later you need to use "Run as Administrator" to launch the prompt.

 

You are genuis,

It workes perfectly. but can you explain what the difference between logged in with administrator privilage and use "Run as administrator" ??

Thanks cheif

You need to learn about Windows.

The help system is very good for this.

http://windows.microsoft.com/en-US/windows7/search?q=uac

 

cd $Env:USERPROFILE
cd Documents
$acct = New-Object System.Security.Principal.NTAccount('mydom\myaccount')
$file=Get-Item .\temp
$acl=$file.GetAccessControl()
write-host "old owner: " $acl.Owner
$acl.SetOwner($acct)
$file.SetAccessControl($acl)
write-host "New owner: " $acl.Owner
write-host "done"

OK, I'm running this as administrator and it seems to be printing the old and new owner correctly until I try to verify it with windows explorer and right click on the file and then click on security. Is my new account is not in the usernames/groups but the old account is.

What am I doing wrong?

Hi,

You are posting to a thread that was closed more than two years ago. Please start a new question.

Bill

Holy crap 7 years this thread has been here and there still isn't a decent answer. Get your crap together Windows Programmers. 

Shouldn't be any more complicated than this. Get to work on it. 

takeown admin-domain\admin /R .\*

ERROR: Invalid argument/option - 'admin-PC\admin'.
Type "TAKEOWN /?" for usage.
PS L:\> takeown /U admin-PC\admin /R .\*
ERROR: Invalid argument/option - '.\*'.
Type "TAKEOWN /?" for usage.
PS L:\> takeown /U admin-PC\admin /R *
ERROR: Invalid argument/option - '*'.
Type "TAKEOWN /?" for usage.
PS L:\> takeown /U admin-PC\admin /R
ERROR: Invalid syntax.
Type "TAKEOWN /?" for usage.

right click.

• Edited by oasisfleeting Friday, February 06, 2015 6:42 PM accidentally put too few years.

You are posting to a very old thread. If you need help, please start a new question and tell exactly what you would like to accomplish.