locked
Temporarily Take Ownership of folders to set permissions RRS feed

  • Question

  • So I am attempting to run a script when a server builds that sets permissions on certain folders. However, the administrator group does not have access to these files. Is there a way to temporarily take ownership of these folders so I can make the permission changes and revert the ownership back after.  Any thoughts?

    Thanks. 
    Monday, March 16, 2015 7:00 PM

Answers

  • Mekac is right; if you don't have at least 'ReadPermissions' access to the file/folder, you usually can't get the current owner. If you have the SeBackupPrivilege granted, though, you can take a look at it under the right conditions. If you want to do that manually, let me know, otherwise you can try the 4.0 preview version of the PowerShell Access Control module:

    $CurrentPath = "c:\FileOrFolderPath"
    $AddAceParams = @{
        Principal = "Administrators"
        FolderRights = "FullControl"
    }
    
    <#
        Method 1 (technically a one-liner)
    #>
    Get-SecurityDescriptor $CurrentPath -PacSDOption (New-PacCommandOption -BypassAclCheck) | ForEach-Object {
        $OriginalOwner = $_.Owner
        
        $_ | Set-Owner -PassThru -Apply |  # -Force here would suppress prompt
            Add-AccessControlEntry @AddAceParams -PassThru |
            Set-Owner -Principal $OriginalOwner -Apply # -Force here would suppress prompt
    }
    
    <# 
        Method 2 (Multiple lines)
    #>
    $OriginalOwner = Get-SecurityDescriptor $CurrentPath -PacSDOption (New-PacCommandOption -BypassAclCheck) | select -ExpandProperty Owner
    Set-Owner $CurrentPath #-Force
    Add-AccessControlEntry $CurrentPath @AddAceParams -PassThru |
        Set-Owner -Principal $OriginalOwner -Apply #-Force
    

    Both examples should do the exact same thing. The important part is the '-PacSDOption (New-PacCommandOption -BypassAclCheck)', which enables the backup privilege and opens the file/folder in a special way to allow you to look at the security descriptor even if you don't have permission to. You need to do that to guarantee the ability to save the current owner. If you have any questions about what's going on, please let me know.

    It's actually possible to make the permission changes using the SeRestorePrivilege without taking ownership first, but there are a lot of "gotchas". I'm still trying to figure out if I'm going to include that capability in the final version of the module.

    By the way, version 4.0 currently still a preview build, so some of the syntax will be different before it's finalized. One area where the previous examples will definitely fail later is with the 'New-PacCommandOption' cmdlet (it's been renamed to 'New-PacSdOption' in the latest unreleased build).


    • Proposed as answer by Mekac Tuesday, March 17, 2015 7:41 PM
    • Marked as answer by AnnaWY Monday, March 30, 2015 9:27 AM
    Tuesday, March 17, 2015 4:57 PM

All replies

  • Hi Shaffan,

    If you want to change the ownership, please refer to the script below, which will get the current owner and change the ownership, then set back the original owner, please also make sure the account running this script has permission to change the owner of the folder:

    You need to check this function Set-Owner written by Boe firstly:

    $F = "c:\test1"
    $folder=get-acl $F
    $owner = $folder.Owner
    Set-Owner -Path $F -Account doamin\user
    #set back the owner to the default owner
    Set-Owner -Path $F -Account $owner

    If there is anything else regarding this issue, please feel free to post back.

    Best Regards,

    Anna Wang

    TechNet Community Support


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Tuesday, March 17, 2015 5:19 AM
  • Imo, you cant read ACL entries from files u dont have access to.

    $owner = $folder.Owner would return empty value..  maybe

    Tuesday, March 17, 2015 6:19 AM
  • Mekac is right; if you don't have at least 'ReadPermissions' access to the file/folder, you usually can't get the current owner. If you have the SeBackupPrivilege granted, though, you can take a look at it under the right conditions. If you want to do that manually, let me know, otherwise you can try the 4.0 preview version of the PowerShell Access Control module:

    $CurrentPath = "c:\FileOrFolderPath"
    $AddAceParams = @{
        Principal = "Administrators"
        FolderRights = "FullControl"
    }
    
    <#
        Method 1 (technically a one-liner)
    #>
    Get-SecurityDescriptor $CurrentPath -PacSDOption (New-PacCommandOption -BypassAclCheck) | ForEach-Object {
        $OriginalOwner = $_.Owner
        
        $_ | Set-Owner -PassThru -Apply |  # -Force here would suppress prompt
            Add-AccessControlEntry @AddAceParams -PassThru |
            Set-Owner -Principal $OriginalOwner -Apply # -Force here would suppress prompt
    }
    
    <# 
        Method 2 (Multiple lines)
    #>
    $OriginalOwner = Get-SecurityDescriptor $CurrentPath -PacSDOption (New-PacCommandOption -BypassAclCheck) | select -ExpandProperty Owner
    Set-Owner $CurrentPath #-Force
    Add-AccessControlEntry $CurrentPath @AddAceParams -PassThru |
        Set-Owner -Principal $OriginalOwner -Apply #-Force
    

    Both examples should do the exact same thing. The important part is the '-PacSDOption (New-PacCommandOption -BypassAclCheck)', which enables the backup privilege and opens the file/folder in a special way to allow you to look at the security descriptor even if you don't have permission to. You need to do that to guarantee the ability to save the current owner. If you have any questions about what's going on, please let me know.

    It's actually possible to make the permission changes using the SeRestorePrivilege without taking ownership first, but there are a lot of "gotchas". I'm still trying to figure out if I'm going to include that capability in the final version of the module.

    By the way, version 4.0 currently still a preview build, so some of the syntax will be different before it's finalized. One area where the previous examples will definitely fail later is with the 'New-PacCommandOption' cmdlet (it's been renamed to 'New-PacSdOption' in the latest unreleased build).


    • Proposed as answer by Mekac Tuesday, March 17, 2015 7:41 PM
    • Marked as answer by AnnaWY Monday, March 30, 2015 9:27 AM
    Tuesday, March 17, 2015 4:57 PM