Home > .net, howto, powershell, scripting, server 2003, windows, windows server > Take ownership of files and folders through script

Take ownership of files and folders through script

As part of our process to disable user accounts, we take ownership of the user’s server-stored documents such as roaming profiles and redirected My Documents directories. We then either keep access restricted to the domain admins group or grant access to a replacement user who should receive access to the departed user’s files.

With an upgrade to Exchange 2007, we have taken advantage of the Powershell access to Exchange objects, and have scripted the mailbox provisioning and account disable processes. One of the sticking points in getting the disable script wrapped up was seizing control of the user’s directories. Now, Powershell does have the ability to modify ACL’s through the New-Acl and Set-Acl cmdlets (links below), but the users have exclusive access to their server-side directories. It is easy enough to take ownership of a directory through the Windows Explorer Security dialog, but the Powershell methods all presented some form of error when trying to set permissions or change ownership on a file system object to which you do not already have access to.

I struggled for some time off and on to try to work around this with a native Powershell way of seizing control of a directory, but I simply could not find what I was looking for. Eventually, I fell back to a simple tool built into Server 2003 already: Takeown.exe. Through a simple line, takeown got me the results I wanted. I built an array of strings for the directories I wanted to take ownership of, generally in a UNC path such as \\servername\users$\[sAMAccountName], then wrapped the takeown line in a Foreach loop:

Foreach ( $directory in $directories )
{
takeown.exe /A /R /D Y /F $directory
}

To learn more about the options for Takeown, simply type Takeown /? at the command line. For reference:

  • /A – Grants ownership to the Administrators group rather than a particular user.
  • /R – Recurses
  • /D Y – Sets the default to prompts to Yes
  • /F – The file name of the file system object to take ownership of

After taking ownership, the regular Powershell native cmdlets can be used to set up permissions as are required. For more information on Powershell ACL tools, check out the following links:

Bitcoin tip address for this post: 1MBiHN2jptsRRxYMvjypHH94JhQTv2QGyA

Advertisements
  1. 2010-12-19 at 19:20

    “One of the sticking points in getting the disable script wrapped up was seizing control of the user’s directories. Now, Powershell does have the ability to modify ACL’s through the New-Acl and Set-Acl cmdlets (links below), but the users have exclusive access to their server-side directories. It is easy enough to take ownership of a directory through the Windows Explorer Security dialog, but the Powershell methods all presented some form of error when trying to set permissions or change ownership on a file system object to which you do not already have access to.”
    Where else can I read about this?

  2. George
    2010-12-29 at 13:21

    Wow, PowerShell cannot take ownership. I’ve been working on this for a few days with no reliable success, pretty angry about this. Is this still the case in 2010?

  3. rodomod8
    2012-01-20 at 01:58

    Takeown /?

  4. 2012-02-16 at 16:34

    Powershell using get-acl and set-acl certainly can take ownership of files and folders.

  5. Ivan
    2012-02-29 at 02:38

    The reason that the PowerShell can’t take ownership is that it is not coded to use Backup privileges to forcibly take ownership when the account you’re running under does not currently have access via the existing ACL. TakeOwn.exe on the other hand is designed to fall back in this way. This approach could be replicated in PS, but you’d be writing a bunch of unmanaged code, so probably best to take the approach that you have.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: