none
Help taking folder ownership before IACL RRS feed

  • Question

  • So someone applied a Terminal Server lockdown GPO to ALL servers. This particular GPO removed standard permissions on the Windows\Tasks folder giving SYSTEM, CREATER OWNER, and Administrators only Read and Execute rights instead of Full Control.

    If I manually take ownership I can reset the folder permissions using IACLS.  But as the BuiltIn Administrators group is not the Owner (SYSTEM is) I cannot make any changes.  There are many servers so I want to script this and do it all from a single server (remote execution).

    I tired using "takeown" as show below that doesn't work.  Any suggestions on getting this to work?

    <#    ***** Begin Script Block

    $Serverlist = get-content "C:\NTUtils\Servers.txt"
    foreach ($Server in $Serverlist) {
    Write-Host "Working on Server" $Server
    # $command = "takeown /A  \\$Server\C$\Windows\Tasks /r /d y"   THESE 2 LINES DO NOT WORK
    # iex $command

    icacls.exe  --% /grant:r "Administrators":(OI)(CI)F
    icacls.exe \\$Server\C$\Windows\Tasks  --% /grant:r "SYSTEM":(OI)(CI)F
    icacls.exe \\$Server\C$\Windows\Tasks  --% /grant:r "CREATOR OWNER":(OI)(CI)F
    }

    #>    ***** End Script Block

    takeown : ERROR: Invalid argument/option - '\\ZTASKTEST\C$\Windows\Tasks'.
    At line:1 char:1
    + takeown /A  \\ZTASKTEST\C$\Windows\Tasks /r /d y
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (ERROR: Invalid ...Windows\Tasks'.:String) [], RemoteException
        + FullyQualifiedErrorId : NativeCommandError

    Tuesday, December 26, 2017 8:16 PM

Answers

  • I was asking a scripting question, not a break fix question, nor a task scheduler question so take the time to READ AND UNDERSTAND before sending out a snippy reply!

    I was not the person to make this GPO change either, just the person who needs to fix it.  As stated in my original post I KNOW HOW TO FIX IT.  I just was looking to apply the fix via PowerShell

    On a new 2012 R2 server the default permisisons are Full Control for SYSTEM; Administrators and Owner Creator.  Without at least Modify permission a new task cannot be created using "Configure for: Windows Server 2003, Windows XP, or Windows 2000"

    I changed the takeown line to:

    $command="takeown  /S \\$Server/F \\$Server\C$\Windows\Tasks /A /R"

    and it now works

    • Marked as answer by cmor1701e Tuesday, December 26, 2017 9:17 PM
    Tuesday, December 26, 2017 9:13 PM

All replies

  • Once the lockdown has been applied you will not be able to undo it.

    The permissions on the Tasks folder are correct even without lockdown.

    This is not a beak/fix forum.  It is not a task scheduler forum.  By now you attempts to subvert the lockdown as well as a lack of understanding of the basic default permissions on system folders have boxed you into a corner.  You will need to contact MS Support for help or just re-install you OS.


    \_(ツ)_/

    Tuesday, December 26, 2017 8:42 PM
  • I was asking a scripting question, not a break fix question, nor a task scheduler question so take the time to READ AND UNDERSTAND before sending out a snippy reply!

    I was not the person to make this GPO change either, just the person who needs to fix it.  As stated in my original post I KNOW HOW TO FIX IT.  I just was looking to apply the fix via PowerShell

    On a new 2012 R2 server the default permisisons are Full Control for SYSTEM; Administrators and Owner Creator.  Without at least Modify permission a new task cannot be created using "Configure for: Windows Server 2003, Windows XP, or Windows 2000"

    I changed the takeown line to:

    $command="takeown  /S \\$Server/F \\$Server\C$\Windows\Tasks /A /R"

    and it now works

    • Marked as answer by cmor1701e Tuesday, December 26, 2017 9:17 PM
    Tuesday, December 26, 2017 9:13 PM