locked
Recursive find/replace owner RRS feed

  • Question

  • I've looked around and found this base code for what i'm trying to do:

    $Owner = 'Owner to search for' 
    $OwnerSID = (Get-ADUser $Owner).SID 
     
    Get-Childitem C:\Temp -File -Recurse -Force | 
    Where { ($_.GetAccessControl()).sddl -like "O:$OwnerSID*" }

    What I want to do is Pipe some form of set-acl to then replace that owner with a new owner.

    Use case: Terminated employees we're removing accounts for that have a lot of folder/file ownership we want to pass to someone else, and/or share/directories with many different owners we don't want to mass change to builtin\administrator etc.

    Thoughts?

    Tuesday, March 20, 2018 1:47 PM

All replies

  • Hi KickedAbyss,

    First, welcome to the forums.

    You where almost there. It's not mandatory to do this through the pipeline, you can store the ACL in a variable and set the owner through a method. Consider this script below:

    $Owner = 'Owner to search for'
    $OwnerSID = (Get-ADUser $Owner).SID
    
    $ACL = Get-ACL C:\folder
    $Group = New-Object System.Security.Principal.NTAccount("BUILTIN", "Administrators")
    $ACL.SetOwner($Group)
    Set-Acl -Path C:\folder -AclObject $ACL

    I think with this you can further on.



    Sincerely, Martien van Dijk. Please remember to mark the replies as answers if they help and unmark them if they provide no help. Check out My Blog!



    Tuesday, March 20, 2018 3:00 PM
  • Will this do a recursive search throughout the entire directory, or just for the single folder?  I see that you call out $ACL as a get-acl for the folder, but in the script I found, it wanted me to use GCI with the -recursive switch.

    Thank you for the prompt response! 
    Wednesday, March 21, 2018 2:49 PM
  • In the example i've made for you, is only just for a single folder... This forum is not intended for script requests, so we can give you only a push to the right direction.

    For setting the acl for subfolders you can use the foreach command to walk through the folders.

    Combine my example script and combine this information in your script, to come to a solution for your specific situation.

    I think you've now enough information to fix this by yourself. When you're ready with the script and you getting errors, feel free to post your script and we can look at it.



    Sincerely, Martien van Dijk. Please remember to mark the replies as answers if they help and unmark them if they provide no help. Check out My Blog!

    Wednesday, March 21, 2018 6:41 PM
  • Owner = 'Username' 
    $OwnerSID = (Get-ADUser $Owner).SID 
    Get-ChildItem -Recurse | Where-Object { ($_.GetAccessControl()).sddl -like "O:$OwnerSID*" } | 
    foreach-Object { 
       $ACL = Get-ACL $_.FullName 
       $Group = New-Object System.Security.Principal.NTAccount("BUILTIN", "Administrators") 
       $ACL.SetOwner($Group) 
       Set-Acl -Path $_.FullName -AclObject $ACL 
    }

    This SEEMS to work -- ran a test on a test folder i created and it left the non domain account owned items alone.

    Edit: So ran into at least one issue where files with [ or ] cause it to break

    added  a temp location and the literalpath

       $tempLocation = $_.FullName
    
    
     Set-Acl  -AclObject $ACL -LiteralPath $tempLocation

    Still getting errors on :

    Set-Acl : Cannot bind argument to parameter 'AclObject' because it is null.
    At line:9 char:24
    +    Set-Acl  -AclObject $ACL -LiteralPath $tempLocation
    +                        ~~~~
        + CategoryInfo          : InvalidData: (:) [Set-Acl], ParameterBindingValidationException
        + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.SetAclCommand

    This makes me wonder if i don't have permissions to those items, somehow...

    Okay I'm 99% certain my literalpath isn't correct.  Basically, powershell doesn't like those characters, and so i need to somehow tell the set-acl path where each of the "foreach-object" literalpath is -- but i can't find references on how to properly call that.  The templocation didn't work.
    • Edited by KickedAbyss Wednesday, March 21, 2018 8:42 PM
    Wednesday, March 21, 2018 7:59 PM
  • Hi,

    Based on your situation, I recommend using Icacls.exe to set the owner because it is easier to use. the following example set UserA as the owner of D:\Folder in Set-Acl way and Icacls way:
    # Set-Acl
    $path = 'D:\Folder'
    $acl = Get-Acl -Path $path
    $owner = New-Object System.Security.Principal.NTAccount('UserA')
    $acl.SetOwner($owner)
    Set-Acl -Path $path -AclObject $acl
    
    # Icacls
    icacls.exe 'D:\Folder' /setowner 'UserA'

    To modify owner for child items with specific owner, you can try with the following example:
    Get-ChildItem -Path C:\Temp -Recurse |
        Get-Acl | Where-Object {$_.Owner -eq 'Owner to search for'} |
            ForEach-Object {icacls ($_.Path.Replace('Microsoft.PowerShell.Core\FileSystem::','')) /setowner 'Owner to replace'}

    The following link for your reference, hope it is helpful to you:
    https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/icacls

    If you need further help, please feel free to let us know.

    Best Regards,
    Albert

    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, March 22, 2018 7:08 AM
  • Hi,

    Just checking in to see if the information provided was helpful. Does the script work?

    Please let us know if you would like further assistance.

    Best Regards,
    Albert

    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, March 27, 2018 2:46 AM
  • Hi,

    I am checking how the issue is going, if you still have any questions, please feel free to contact us.

    If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.
    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.
    If no, please reply and tell us the current situation in order to provide further help.

    Appreciate for your feedback.

    Best Regards,
    Albert

    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, March 29, 2018 5:47 AM