Sign in
 
HomeWindows Server 2012Windows Server 2008 R2Windows Server 2003LibraryForums
Windows Server TechCenter >
GPO to change all files/folders ownership only

Answered GPO to change all files/folders ownership only

  • Wednesday, January 30, 2013 4:07 PM
     
     
    Sign In to Vote
    0

    We had an issue where an admin to fix an issue reset the owner on most of our Windows 7 PC from "TrustedInstaller" to Administrators (replace on all files and subfolders). This has caused issues. I'd like to set this back via GPO or some other method.

    I have a GPO that is supposed to reset the owner for this but at the same time it will set the security. I'd like to reset JUST the ownership on all the files/folders on a Windows 7 PC and not change any other security settings/ACLs...

    How can I do this?

    it seems they are tied. I'm hesitant to remove the security permission in that it will do the same on the PC's and break everything. 

    Help...

    RS

     

All Replies

  • Wednesday, January 30, 2013 5:09 PM
     
     Answered
    Sign In to Vote
    0

    Try this - and enjoy :-)

    icacls "%windir%\winsxs\Catalogs" /setowner "NT Service\TrustedInstaller" /T /C

     
  • Wednesday, January 30, 2013 8:37 PM
     
     Answered
    Sign In to Vote
    0
    You need a startup script that executes with SYSTEM permissions. This
    script has to launch the appropriate commands.
    One command is icacls - as Thorsten already mentioned. Another command
    is takeown (also part of windows). And of course, there's Helge Klein's
    popular "setacl" command line tool...
     
    regards, Martin
     
    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
     
  • Thursday, January 31, 2013 8:55 AM
    Moderator
     
     Answered
    Sign In to Vote
    0

    Hi,

    I agree Torsten, he has provided the right suggestions to your question. As he mentioned, we could use Icacls command to change the owner of a file or a folder. For details about Icacls, please refer to the following article.

    Icacls

    http://technet.microsoft.com/en-us/library/cc753525(v=ws.10).aspx

    In addition, we could also deploy a script via Group Policy to change the file ownership. Here are some script samples as reference, hope this helps.

    How Can I Determine the Owner of a File?

    http://blogs.technet.com/b/heyscriptingguy/archive/2004/10/07/how-can-i-determine-the-owner-of-a-file.aspx

    How Can I Take Ownership of a File or Folder By Using a Script?

    http://blogs.technet.com/b/heyscriptingguy/archive/2006/01/11/how-can-i-take-ownership-of-a-file-or-folder-by-using-a-script.aspx

    If you have some trouble modifying the script, I suggest we could ask in the script forum.

    The Official Scripting Guys Forum!

    http://social.technet.microsoft.com/Forums/en-US/ITCG/threads

    Best Regards,

    Andy Qi

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

    Andy Qi
    TechNet Community Support

     
  • Thursday, January 31, 2013 1:40 PM
     
     
    Sign In to Vote
    0

    Thanks for the suggestions.

    I did ask the scripting guys and the response was to create a GPO...

    http://social.technet.microsoft.com/Forums/en-US/ITCG/thread/fde82d8b-d33c-4697-8d03-f7516b898a26/

    But I see that Torsten's command is a bit different then mine...

    icacls c:\ /setowner "nt service\trustedinstaller" /t /c /l /q

    Another question...

    If the original take ownership was done as an Administrator and not system I'm thinking I can change what was changed that time just by running the command as administrator again... My thinking is that anything that was denied the first time around would be denied this time as well and I won't change anything this time that wasn't changed with the original error.

    Would you agree?

     
  • Thursday, January 31, 2013 3:46 PM
     
     
    Sign In to Vote
    0

    The /l is for symbolic links. The /q will surpress messages. I don't recommend these both switches.

    Your second question:

    That should cause no troubles with this command. If you run in troubles with it than run the command a second time and it should be done. Keep in mind that you need to run this command with admin privileges.

     
  • Thursday, January 31, 2013 4:16 PM
     
     
    Sign In to Vote
    0
     
    > icacls c:\ /setowner "nt service\trustedinstaller" /t /c /l /q
     
    On the second reading: I didn't test, but I doubt this command will work
    if you do NOT already have full access to a file (so you can set an
    owner). In that case, you need to takeown first...
     
    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!