Temporarily Take Ownership of folders to set permissions

Similar Messages

• I need to take ownership of an external drive with NTFS file system from my previous laptop?

  I have an external drive that was previously associated with my PC laptop that was stolen.
  I wish to take ownership of folders.
  Can anyone help me with this.

  Use a third party tool to allow your computer to use ntfs formatted drives.
  Or, just copy the folder/files to your computer then use them. OSx can read ntfs drives so copy will work. After you copy the files to your computer, format the drive for OSx then use the drive with your computer with read/write functionality.

• Solved - How to take ownership and change permissions for blocked files and folders in Powershell

  Hello,
  I was trying to take ownership & fix permissions on Home Folder/My Documents structures, I ran into the common problem in PowerShell where Set-Acl & Get-Acl return access denied errors. The error occurs because the Administrators have been removed from
  file permissions and do not have ownership of the files,folders/directories. (Assuming all other permissions like SeTakeOwnershipPrivilege have been enabled.
  I was not able to find any information about someone successfully using native PS to resolve the issue.  As I was able to solve the issues surrounding Get-Acl & Set-Acl, I wanted to share the result for those still looking for an answer.
  Question: How do you use only Powershell take ownership and reset permissions for files or folders you do not have permissions or ownership of?
  Problem: 
  Using the default function calls to the object fail for a folder that the administrative account does not have permissions or file ownership. You get the following error for Get-Acl:
  PS C:\> Get-Acl -path F:\testpath\locked
  Get-Acl : Attempted to perform an unauthorized operation.
  + get-acl <<<< -path F:\testpath\locked
  + CategoryInfo : NotSpecified: (:) [Get-Acl], UnauthorizedAccessException
  + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.GetAclCommand
  If you create a new ACL and attempt to apply it using Set-Acl, you get:
  PS C:\> Set-Acl -path F:\testpath\locked -AclObject $DirAcl
  Set-Acl : Attempted to perform an unauthorized operation.
  At line:1 char:8
  + Set-Acl <<<< -path "F:\testpath\locked" -AclObject $DirAcl
  + CategoryInfo : PermissionDenied: (F:\testpath\locked:String) [Set-Acl], UnauthorizedAccessException
  + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.SetAclCommand
  Use of other functions like .GetAccessControl will result in a similar error: "Attempted to perform an unauthorized operation."
  How do you replace owner on all subcontainers and objects in Powershell with resorting to external applications like takeown, icacls, Windows Explorer GUI, etc.?
  Tony

  Hello,
  Last, here is the script I used to reset permissions on the "My Documents" tree structure that admins did not have access to:
  Example:  Powershell script to parse a directory of User-owned "My Document" redirection folders and reset permissions.
  #Script to Reset MyDocuments Folder permissions
  $domainName = ([ADSI]'').name
  Import-Module "PSCX" -ErrorAction Stop
  Set-Privilege (new-object Pscx.Interop.TokenPrivilege "SeRestorePrivilege", $true) #Necessary to set Owner Permissions
  Set-Privilege (new-object Pscx.Interop.TokenPrivilege "SeBackupPrivilege", $true) #Necessary to bypass Traverse Checking
  #Set-Privilege (new-object Pscx.Interop.TokenPrivilege "SeSecurityPrivilege", $true) #Optional if you want to manage auditing (SACL) on the objects
  Set-Privilege (new-object Pscx.Interop.TokenPrivilege "SeTakeOwnershipPrivilege", $true) #Necessary to override FilePermissions & take Ownership
  $Directorypath = "F:\Userpath" #locked user folders exist under here
  $LockedDirs = Get-ChildItem $Directorypath -force #get all of the locked directories.
  Foreach ($Locked in $LockedDirs) {
  Write-Host "Resetting Permissions for "$Locked.Fullname
  #######Take Ownership of the root directory
  $blankdirAcl = New-Object System.Security.AccessControl.DirectorySecurity
  $blankdirAcl.SetOwner([System.Security.Principal.NTAccount]'BUILTIN\Administrators')
  $Locked.SetAccessControl($blankdirAcl)
  ###################### Setup & apply correct folder permissions to the root user folder
  #Using recommendation from Ned Pyle's Ask Directory Services blog:
  #Automatic creation of user folders for home, roaming profile and redirected folders.
  $inherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit, ObjectInherit"
  $propagation = [system.security.accesscontrol.PropagationFlags]"None"
  $fullrights = [System.Security.AccessControl.FileSystemRights]"FullControl"
  $allowrights = [System.Security.AccessControl.AccessControlType]"Allow"
  $DirACL = New-Object System.Security.AccessControl.DirectorySecurity
  #Administrators: Full Control
  $DirACL.AddAccessRule((new-object System.Security.AccessControl.FileSystemAccessRule("BUILTIN\Administrators",$fullrights, $inherit, $propagation, "Allow")))
  #System: Full Control
  $DirACL.AddAccessRule((new-object System.Security.AccessControl.FileSystemAccessRule("NT AUTHORITY\SYSTEM",$fullrights, $inherit, $propagation, "Allow")))
  #Creator Owner: Full Control
  $DirACL.AddAccessRule((new-object System.Security.AccessControl.FileSystemAccessRule("CREATOR OWNER",$fullrights, $inherit, $propagation, "Allow")))
  #Useraccount: Full Control (ideally I would error check the existance of the user account in AD)
  #$DirACL.AddAccessRule((new-object System.Security.AccessControl.FileSystemAccessRule("$domainName\$Locked.name",$fullrights, $inherit, $propagation, "Allow")))
  $DirACL.AddAccessRule((new-object System.Security.AccessControl.FileSystemAccessRule("$domainName\$Locked",$fullrights, $inherit, $propagation, "Allow")))
  #Remove Inheritance from the root user folder
  $DirACL.SetAccessRuleProtection($True, $False) #SetAccessRuleProtection(block inheritance?, copy parent ACLs?)
  #Set permissions on User Directory
  Set-Acl -aclObject $DirACL -path $Locked.Fullname
  Write-Host "commencer" -NoNewLine
  ##############Restore admin access & then restore file/folder inheritance on all subitems
  #create a template ACL with inheritance re-enabled; this will be stamped on each subitem to re-establish the file structure with inherited ACLs only.
  #$NewOwner = New-Object System.Security.Principal.NTAccount("$domainName","$Locked.name") #ideally I would error check this.
  $NewOwner = New-Object System.Security.Principal.NTAccount("$domainName","$Locked") #ideally I would error check this.
  $subFileACL = New-Object System.Security.AccessControl.FileSecurity
  $subDirACL = New-Object System.Security.AccessControl.DirectorySecurity
  $subFileACL.SetOwner($NewOwner)
  $subDirACL.SetOwner($NewOwner)
  ######## Enable inheritance ($False) and not copy of parent ACLs ($False)
  $subFileACL.SetAccessRuleProtection($False, $False) #SetAccessRuleProtection(block inheritance?, copy parent ACLs?)
  $subDirACL.SetAccessRuleProtection($False, $False) #SetAccessRuleProtection(block inheritance?, copy parent ACLs?)
  #####loop through subitems
  $subdirs = Get-ChildItem -path $Locked.Fullname -force -recurse #force is necessary to get hidden files/folders
  foreach ($subitem in $subdirs) {
  #take ownership to insure ability to change permissions
  #Then set desired ACL
  if ($subitem.Attributes -match "Directory") {
  # New, blank Directory ACL with only Owner set
  $blankdirAcl = New-Object System.Security.AccessControl.DirectorySecurity
  $blankdirAcl.SetOwner([System.Security.Principal.NTAccount]'BUILTIN\Administrators')
  #Use SetAccessControl to reset Owner; Set-Acl will not work.
  $subitem.SetAccessControl($blankdirAcl)
  #At this point, Administrators have the ability to change the directory permissions
  Set-Acl -aclObject $subDirACL -path $subitem.Fullname -ErrorAction Stop
  } Else {
  # New, blank File ACL with only Owner set
  $blankfileAcl = New-Object System.Security.AccessControl.FileSecurity
  $blankfileAcl.SetOwner([System.Security.Principal.NTAccount]'BUILTIN\Administrators')
  #Use SetAccessControl to reset Owner; Set-Acl will not work.
  $subitem.SetAccessControl($blankfileAcl)
  #At this point, Administrators have the ability to change the file permissions
  Set-Acl -aclObject $subFileACL -path $subitem.Fullname -ErrorAction Stop
  Write-Host "." -NoNewline
  Write-Host "fin."
  Write-Host "Script Complete."
  I hope you find this useful.
  Thank you,
  Tony
  Final Thought: There are great non-PS tools like
  Set-Acl and takeown which are external to PS & can also do the job wonderfully.  It may be much simpler to call those tools than recreate the wheel in pure
  code.  Feel free to use whatever best suits your time, scope & cost.

• Take ownership of a registry key, and change permissions

  Hello,
  I am writing a powershell script to configure a W2008-R2 Server. In one of the steps, I need to take ownership of an existing registry key, and then give full control permissions to the administrators.
  I have done this:
  $acl = Get-Acl $key
  $me = [System.Security.Principal.NTAccount]"$env:userdomain\$env:username"
  $acl.SetOwner($me)
  $person = [System.Security.Principal.NTAccount]"Administrators"
  $access = [System.Security.AccessControl.RegistryRights]"FullControl"
  $inheritance = [System.Security.AccessControl.InheritanceFlags]"None"
  $propagation = [System.Security.AccessControl.PropagationFlags]"None"
  $type = [System.Security.AccessControl.AccessControlType]"Allow"
  $rule = New-Object System.Security.AccessControl.RegistryAccessRule($person,$access,$inheritance,$propagation,$type)
  $acl.AddAccessRule($rule)
  Set-Acl $key $acl
  But it fails in "set-acl" command, with the message "Set-Acl : Requested registry access is not allowed."
  Any ideas of how to do this? or if it is even possible?
  Thank you!

  Here is the code to take ownership of a registry key.  You first need to set the SeTakeOwnership permission on your process
  The enable-privilege function is taken from a posting by Lee Holmes (http://www.leeholmes.com/blog/2010/09/24/adjusting-token-privileges-in-powershell/), but
  I've been meaning to get around to tidy it up a bit for my purposes.  Perhaps this thread is the motivation I need to do this.  I should also note that the PowerShell Community Extensions has cmdlets to work with tokens already.  
  I also never tested whether you can do the PowerShell native methods of get-acl set-acl if you set the token.  I don't have time to play with that now, but if you want to try it and let us know if it works that would be great.  The opensubkey method
  I'm using I've documented here for changing permissions when you don't have permissions: http://powertoe.wordpress.com/2010/08/28/controlling-registry-acl-permissions-with-powershell/
  function enable-privilege {
  param(
  ## The privilege to adjust. This set is taken from
  ## http://msdn.microsoft.com/en-us/library/bb530716(VS.85).aspx
  [ValidateSet(
  "SeAssignPrimaryTokenPrivilege", "SeAuditPrivilege", "SeBackupPrivilege",
  "SeChangeNotifyPrivilege", "SeCreateGlobalPrivilege", "SeCreatePagefilePrivilege",
  "SeCreatePermanentPrivilege", "SeCreateSymbolicLinkPrivilege", "SeCreateTokenPrivilege",
  "SeDebugPrivilege", "SeEnableDelegationPrivilege", "SeImpersonatePrivilege", "SeIncreaseBasePriorityPrivilege",
  "SeIncreaseQuotaPrivilege", "SeIncreaseWorkingSetPrivilege", "SeLoadDriverPrivilege",
  "SeLockMemoryPrivilege", "SeMachineAccountPrivilege", "SeManageVolumePrivilege",
  "SeProfileSingleProcessPrivilege", "SeRelabelPrivilege", "SeRemoteShutdownPrivilege",
  "SeRestorePrivilege", "SeSecurityPrivilege", "SeShutdownPrivilege", "SeSyncAgentPrivilege",
  "SeSystemEnvironmentPrivilege", "SeSystemProfilePrivilege", "SeSystemtimePrivilege",
  "SeTakeOwnershipPrivilege", "SeTcbPrivilege", "SeTimeZonePrivilege", "SeTrustedCredManAccessPrivilege",
  "SeUndockPrivilege", "SeUnsolicitedInputPrivilege")]
  $Privilege,
  ## The process on which to adjust the privilege. Defaults to the current process.
  $ProcessId = $pid,
  ## Switch to disable the privilege, rather than enable it.
  [Switch] $Disable
  ## Taken from P/Invoke.NET with minor adjustments.
  $definition = @'
  using System;
  using System.Runtime.InteropServices;
  public class AdjPriv
  [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
  internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall,
  ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen);
  [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
  internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr phtok);
  [DllImport("advapi32.dll", SetLastError = true)]
  internal static extern bool LookupPrivilegeValue(string host, string name, ref long pluid);
  [StructLayout(LayoutKind.Sequential, Pack = 1)]
  internal struct TokPriv1Luid
  public int Count;
  public long Luid;
  public int Attr;
  internal const int SE_PRIVILEGE_ENABLED = 0x00000002;
  internal const int SE_PRIVILEGE_DISABLED = 0x00000000;
  internal const int TOKEN_QUERY = 0x00000008;
  internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;
  public static bool EnablePrivilege(long processHandle, string privilege, bool disable)
  bool retVal;
  TokPriv1Luid tp;
  IntPtr hproc = new IntPtr(processHandle);
  IntPtr htok = IntPtr.Zero;
  retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);
  tp.Count = 1;
  tp.Luid = 0;
  if(disable)
  tp.Attr = SE_PRIVILEGE_DISABLED;
  else
  tp.Attr = SE_PRIVILEGE_ENABLED;
  retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);
  retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);
  return retVal;
  $processHandle = (Get-Process -id $ProcessId).Handle
  $type = Add-Type $definition -PassThru
  $type[0]::EnablePrivilege($processHandle, $Privilege, $Disable)
  enable-privilege SeTakeOwnershipPrivilege
  $key = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey("SOFTWARE\powertoe",[Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,[System.Security.AccessControl.RegistryRights]::takeownership)
  $acl = $key.GetAccessControl()
  $me = [System.Security.Principal.NTAccount]"t-alien\tome"
  $acl.SetOwner($me)
  $key.SetAccessControl($acl)
  http://twitter.com/toenuff
  write-host ((0..56)|%{if (($_+1)%3 -eq 0){[char][int]("116111101110117102102064103109097105108046099111109"[($_-2)..$_] -join "")}}) -separator ""

• Taking Ownership of folders and files

  So I am doing what sure seems like way too much work to do something rather simple in GUI. There seem to be many topics on this and I base my code off of their results, but it isn't working entirely. Hopefully an easy one for you folks!  I am trying
  to take ownership of a path, be it a file or folder.  I DO NOT want to use a separate module like PSCX as not all machines will have the module.
  I created a function based off the code I found at the end of
  http://social.technet.microsoft.com/Forums/en-US/87679d43-04d5-4894-b35b-f37a6f5558cb/ that I can pass a path to singularly or I was hoping to be able to pipe Get-ChildItem to it.  When I do "Get-ChildItem -Path D:\Permissions\TopFolder -Recurse
  -Force | Take-Ownership" it seemed to work, but then I noticed it only seems to work going one layer deep. The text output for troubleshooting shows it recursing all the way through, but yet Owner is not being set all the way down.
  Folder layout:
  D:\Permissions\TopFolder
  D:\Permissions\TopFolder\FirstFolder
  D:\Permissions\TopFolder\FirstFile.txt
  D:\Permissions\TopFolder\FirstFolder\SecondFolder
  D:\Permissions\TopFolder\FirstFolder\SecondFile.txt
  D:\Permissions\TopFolder\FirstFolder\SecondFolder\ThirdFolder
  D:\Permissions\TopFolder\FirstFolder\SecondFolder\ThirdFile.txt
  Function Take-Ownership {
  [CmdletBinding(DefaultParameterSetName=”Set01”)]
  Param(
  [parameter(Mandatory=$true,ValueFromPipeline=$True,ValueFromPipelinebyPropertyName=$True,Position=1,ParameterSetName='Set01')]
  [string]$Path,
  [parameter(Mandatory=$true,ValueFromPipelinebyPropertyName=$True,ParameterSetName='Set02')]
  [Alias('FullName')][string]$FullPath
  ) # End of Param()
  Begin {
  # Check that script was Run as Administrator
  If (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(`
  [Security.Principal.WindowsBuiltInRole] "Administrator")) {
  Write-Host -ForegroundColor Red -BackgroundColor Black "`n ERROR: You MUST have Administrator rights to run this script!"
  Write-Host -ForegroundColor Red -BackgroundColor Black " Re-run this script as an Administrator!`n"
  Break
  #P/Invoke'd C# code to enable required privileges to take ownership and make changes when NTFS permissions are lacking
  $AdjustTokenPrivileges = @"
  using System;
  using System.Runtime.InteropServices;
  public class TokenManipulator
  [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
  internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall,
  ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen);
  [DllImport("kernel32.dll", ExactSpelling = true)]
  internal static extern IntPtr GetCurrentProcess();
  [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
  internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr
  phtok);
  [DllImport("advapi32.dll", SetLastError = true)]
  internal static extern bool LookupPrivilegeValue(string host, string name,
  ref long pluid);
  [StructLayout(LayoutKind.Sequential, Pack = 1)]
  internal struct TokPriv1Luid
  public int Count;
  public long Luid;
  public int Attr;
  internal const int SE_PRIVILEGE_DISABLED = 0x00000000;
  internal const int SE_PRIVILEGE_ENABLED = 0x00000002;
  internal const int TOKEN_QUERY = 0x00000008;
  internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;
  public static bool AddPrivilege(string privilege)
  try
  bool retVal;
  TokPriv1Luid tp;
  IntPtr hproc = GetCurrentProcess();
  IntPtr htok = IntPtr.Zero;
  retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);
  tp.Count = 1;
  tp.Luid = 0;
  tp.Attr = SE_PRIVILEGE_ENABLED;
  retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);
  retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);
  return retVal;
  catch (Exception ex)
  throw ex;
  public static bool RemovePrivilege(string privilege)
  try
  bool retVal;
  TokPriv1Luid tp;
  IntPtr hproc = GetCurrentProcess();
  IntPtr htok = IntPtr.Zero;
  retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);
  tp.Count = 1;
  tp.Luid = 0;
  tp.Attr = SE_PRIVILEGE_DISABLED;
  retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);
  retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);
  return retVal;
  catch (Exception ex)
  throw ex;
  Add-Type $AdjustTokenPrivileges
  # Activate necessary admin privileges to make changes without NTFS perms on the folder
  [void][TokenManipulator]::AddPrivilege("SeRestorePrivilege") # Necessary to set Owner Permissions
  [void][TokenManipulator]::AddPrivilege("SeBackupPrivilege") # Necessary to bypass Traverse Checking
  [void][TokenManipulator]::AddPrivilege("SeTakeOwnershipPrivilege") # Necessary to override File Permissions
  $Admin = New-Object System.Security.Principal.NTAccount("BUILTIN\Administrators")
  $NewDirACL = New-Object System.Security.AccessControl.DirectorySecurity
  $NewFileACL = New-Object System.Security.AccessControl.FileSecurity
  $NewDirACL.SetOwner($Admin)
  $NewFileACL.SetOwner($Admin)
  } # End of Begin {}
  Process {
  if( $FullPath.Length -gt 0 ) {
  if( Test-Path $FullPath ) {
  $Path = $FullPath
  if( Test-Path $Path -PathType Container ) {
  "Take Ownership: $Path"
  $Folder = Get-Item $Path -Force
  $Folder.SetAccessControl($NewDirACL)
  } elseif( Test-Path $Path -PathType Leaf ) {
  "Take Ownership: $Path"
  $File = Get-Item $Path -Force
  $File.SetAccessControl($NewFileACL)
  } else {
  Write-Host -ForegroundColor Red -BackgroundColor Black "ERROR: Path does not exist: $Path"
  } # End of Process {}
  End { } # End of End {}
  } # End of Function Take-Ownership
  To run this I have been doing:
  PS D:\> $Folder = 'D:\Permissions\TopFolder'
  PS D:\> Get-Item $Folder | Get-Acl
  Directory: D:\Permissions
  Path Owner
  TopFolder DOMAIN\user1
  PS D:\> Get-ChildItem $Folder -Force -Recurse | Get-Acl
  Directory: D:\Permissions\TopFolder
  Path Owner
  FirstFolder DOMAIN\user1
  FirstFile.txt DOMAIN\user1
  Directory: D:\Permissions\TopFolder\FirstFolder
  Path Owner
  SecondFolder DOMAIN\user1
  SecondFile.txt DOMAIN\user1
  Directory: D:\Permissions\TopFolder\FirstFolder\SecondFolder
  Path Owner
  ThirdFolder DOMAIN\user1
  ThirdFile.txt DOMAIN\user1
  PS D:\>
  PS D:\> Get-Item $Folder | Take-Ownership
  Take Ownership: D:\Permissions\TopFolder
  PS D:\> Get-ChildItem $Folder -Force -Recurse | Take-Ownership
  Take Ownership: D:\Permissions\TopFolder\FirstFolder
  Take Ownership: D:\Permissions\TopFolder\FirstFile.txt
  Take Ownership: D:\Permissions\TopFolder\FirstFolder\SecondFolder
  Take Ownership: D:\Permissions\TopFolder\FirstFolder\SecondFile.txt
  Take Ownership: D:\Permissions\TopFolder\FirstFolder\SecondFolder\ThirdFolder
  Take Ownership: D:\Permissions\TopFolder\FirstFolder\SecondFolder\ThirdFile.txt
  PS D:\>
  PS D:\>
  PS D:\> Get-Item $Folder | Get-Acl
  Directory: D:\Permissions
  Path Owner
  TopFolder BUILTIN\Administrators
  PS D:\> Get-ChildItem $Folder -Force -Recurse | Get-Acl
  Directory: D:\Permissions\TopFolder
  Path Owner
  FirstFolder BUILTIN\Administrators
  FirstFile.txt BUILTIN\Administrators
  Directory: D:\Permissions\TopFolder\FirstFolder
  Path Owner
  SecondFolder DOMAIN\user1
  SecondFile.txt DOMAIN\user1
  Directory: D:\Permissions\TopFolder\FirstFolder\SecondFolder
  Path Owner
  ThirdFolder DOMAIN\user1
  ThirdFile.txt DOMAIN\user1
  PS D:\>
  I don't know why this isn't working.  The output text shows I went through the subfolders and files...HELP!
  Find this post helpful? Does this post answer your question? Be sure to mark it appropriately to help others find answers to their searches.

  Here is the end result. I am looking to add a '-Recurse'/'-Force' switches to give another option to not have to Get-ChildItem and pipe it to the function and possibly a '-User' parameter to be able to specify who to set as owner, but both of those ideas
  are untested.
  Here is the code.  Hope it helps someone else.
  Function Take-Ownership {
  <#
  .SYNOPSIS
  This function takes ownership of a file or folder and sets it back to 'BUILTIN\Administrators'.
  .DESCRIPTION
  This function takes ownership of a file or folder and sets it back to 'BUILTIN\Administrators'.
  This will work even when the user does not have ownership or existing permissions on the file or folder.
  .EXAMPLE
  PS C:\> Take-Ownership -Path $Path
  Takes ownership of the individual folder or file. The -Path is optional as long as $Path
  is the first parameter.
  .EXAMPLE
  PS C:\> Get-Item $Path | Take-Ownership
  Takes ownership of the individual folder or file.
  .EXAMPLE
  PS C:\> Get-ChildItem $Path -Recurse -Force | Take-Ownership
  Recurse through all folders and files, including hidden, and takes ownership.
  #>
  [CmdletBinding()]
  Param(
  [parameter(Mandatory = $true, ValueFromPipeline = $True, ValueFromPipelinebyPropertyName = $True, Position = 0)]
  [Alias('FullName')]
  [string]$Path
  ) # End of Param()
  Begin {
  # Check that script was Run as Administrator
  If (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(`
  [Security.Principal.WindowsBuiltInRole] "Administrator")) {
  Write-Host -ForegroundColor Red -BackgroundColor Black "`n ERROR: You MUST have Administrator rights to run this script!"
  Write-Host -ForegroundColor Red -BackgroundColor Black " Re-run this script as an Administrator!`n"
  Return
  #P/Invoke'd C# code to enable required privileges to take ownership and make changes when NTFS permissions are lacking
  $AdjustTokenPrivileges = @"
  using System;
  using System.Runtime.InteropServices;
  public class TokenManipulator
  [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
  internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall,
  ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen);
  [DllImport("kernel32.dll", ExactSpelling = true)]
  internal static extern IntPtr GetCurrentProcess();
  [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
  internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr
  phtok);
  [DllImport("advapi32.dll", SetLastError = true)]
  internal static extern bool LookupPrivilegeValue(string host, string name,
  ref long pluid);
  [StructLayout(LayoutKind.Sequential, Pack = 1)]
  internal struct TokPriv1Luid
  public int Count;
  public long Luid;
  public int Attr;
  internal const int SE_PRIVILEGE_DISABLED = 0x00000000;
  internal const int SE_PRIVILEGE_ENABLED = 0x00000002;
  internal const int TOKEN_QUERY = 0x00000008;
  internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;
  public static bool AddPrivilege(string privilege)
  try
  bool retVal;
  TokPriv1Luid tp;
  IntPtr hproc = GetCurrentProcess();
  IntPtr htok = IntPtr.Zero;
  retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);
  tp.Count = 1;
  tp.Luid = 0;
  tp.Attr = SE_PRIVILEGE_ENABLED;
  retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);
  retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);
  return retVal;
  catch (Exception ex)
  throw ex;
  public static bool RemovePrivilege(string privilege)
  try
  bool retVal;
  TokPriv1Luid tp;
  IntPtr hproc = GetCurrentProcess();
  IntPtr htok = IntPtr.Zero;
  retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);
  tp.Count = 1;
  tp.Luid = 0;
  tp.Attr = SE_PRIVILEGE_DISABLED;
  retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);
  retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);
  return retVal;
  catch (Exception ex)
  throw ex;
  Add-Type $AdjustTokenPrivileges
  # Activate necessary admin privileges to make changes without NTFS perms on the folder
  [void][TokenManipulator]::AddPrivilege("SeRestorePrivilege") # Necessary to set Owner Permissions
  [void][TokenManipulator]::AddPrivilege("SeBackupPrivilege") # Necessary to bypass Traverse Checking
  [void][TokenManipulator]::AddPrivilege("SeTakeOwnershipPrivilege") # Necessary to override File Permissions
  } # End of Begin {}
  Process {
  # Process for taking Ownership of the folder
  # - Specify the NT Account user to set as Owner (BUILTIN\Administrators)
  # - Create a new ACL object for the sole purpose of defining a new owner
  # - Establish the new ACL as owned by BUILTIN\Administrators, thus
  # guaranteeing the following ACL changes can be applied.
  # - Then apply that update to the existing folder's ACL which merges
  # the proposed changes (new owner) into the folder's actual ACL
  # - - IN OUR CASE OVERWRITING THE OWNER
  # - Additional Documentation:
  # http://msdn.microsoft.com/en-us/library/System.Security.AccessControl(v=vs.110).aspx
  $Admin = New-Object System.Security.Principal.NTAccount("BUILTIN\Administrators")
  $NewDirACL = New-Object System.Security.AccessControl.DirectorySecurity
  $NewFileACL = New-Object System.Security.AccessControl.FileSecurity
  $NewDirACL.SetOwner($Admin)
  $NewFileACL.SetOwner($Admin)
  if( Test-Path $Path -PathType Container ) {
  $Folder = Get-Item $Path -Force
  $Folder.SetAccessControl($NewDirACL)
  } elseif( Test-Path $Path -PathType Leaf ) {
  $File = Get-Item $Path -Force
  $File.SetAccessControl($NewFileACL)
  } else {
  Write-Host -ForegroundColor Red -BackgroundColor Black "ERROR: Path does not exist: $Path"
  } # End of Process {}
  End { } # End of End {}
  } # End of Function Take-Ownership
  Find this post helpful? Does this post answer your question? Be sure to mark it appropriately to help others find answers to their searches.

• How to set permissions like "For all users" with Sandbox

  Hello!
  Hello!
  I am using Sandbox for Mac OS X Leopard and I've got a question to you:
  How can I set up a folder to behave like the For all users folder in the users directory?
  Greetings

  Well, sandbox sets ACL's not posix permissions. The sticky bit is a posix permission. Sand box will allow you to do something similar to the sticky bit using ACL's, but the exact duplication of the sticky bit is not possible, but something just as useful or more useful can be easily implemented.
  To set the sticky bit you will need an app called FileXaminer or the Terminal.app command line.
  to set the sticky bit simply put "1" in front of the the permissions number when you run chmod on the command line, here is an example:
  chmod 1775 /users/data/shared #assigns permissions 775 and the sticky bit#
  chmod 775 /users/data/shared #assigns permissions 775 without the sticky bit#
  note: note actual use of the chmod and chown commands will, in most cases require the sudo (super user do) command to be used with them. example:
  sudo chmod 1775 /users/data/shared #assigns temporary super user priviledge#
  The way I set my shared user's directories with ACL's is this:
  first I created folder /users/data -permissions=777 (everyone).
  I had three users so I created folders for each in /users/data:
  /users/data/user1 #this is just example-substitute real user name#
  /users/data/user2
  /users/data/user3 #etc,etc,#
  set the posix permission on each user folder 700 (owner:read,write,execute)
  set the owner and group on each one accordingly:
  chown user1:staff /users/data/user1 #substitute real user name#
  chown user2:staff /users/data/user2
  chown user3:staff /users/data/user3 #(etc,etc)#
  Now each user has their own data folder they can read and write to at will (when they are logged in to their user account).
  They can safely create and maintain their data and no one can delete it.
  Since these are shared data accounts. other users will need to read the data, this is where the ACL's come in.
  You will need to use Sandbox to place ACL's for each allowed user, on each of the user directories:
  0: user:joe inherited allow list,addfile,search,add_subdirectory,readattr,writeattr,readextattr,writeextattr,readsec urity,file_inherit,directoryinherit
  1: user:mary inherited allow list,addfile,search,add_subdirectory,readattr,writeattr,readextattr,writeextattr,readsec urity,file_inherit,directoryinherit
  2: user:sue inherited allow list,addfile,search,add_subdirectory,readattr,writeattr,readextattr,writeextattr,readsec urity,file_inherit,directoryinherit
  Basically with the above ACL's the only thing the allowed user can't do is delete files. They can copy files, they can add files, etc. This behavior is somewhat similar to what can be accomplished with the sticky bit, but much more controlled and structured. That is the beauty of using ACL's.
  Using SandBox you can taylor the permissions as you see fit for each every user. You can set permissions for an administrator to delete files as well. You can take away or add permissions for each user as you see fit. let your imagination be your guide.
  ACL's weren't meant to replace posix permissions, but rather to allow administrators to fine tune user permissions.
  Kj

• AppleScript for setting Permissions Automatically -help needed

  Hello -
  I am trying to create an applescript that can run automatically each time a user signs into a Mac set up for multiple (non admin) users that will take a folder on the drive and set permissions for all sub folders and files to read/write for everybody. I want the script to essentially do the equivalent of checking to "apply to enclosing items" checkbox.
  I know very little about applescript and have not found a good tutorial online yet. Does anybody already have a script that will do this or know how to create one and set it up so that it will run automatically each time a user signs in? I think that I can probably add whatever script is created to the login items for the user to do that. But, don't I also have the problem of the script needed admin rights to reset permissions?
  Any help would be appreciated.

  What exactly are you wanting to do? There are shared folders that already exist (public and private), and Access Control List entries can be set to allow for custom access. Is this for a temporary directory or something like that that gets created when a user logs in?

• Take Ownership of this item link

  Hi
  In catalog manager, in item properties, there is a link "Take Ownership of this item" which changes the owner of an object as the current user. However, eventhough I limit it only to Presentation Server Administrators group through privileges setup, each user still sees this link and be able to use it. What can I do to prevent users seeing this link, except the setting in privileges.
  Thanks a lot.

  Catalog Manager is a powerful tool - it should only be made available to report developers / administrators that need to use it. Most users should not have access to the tool - in fact the only access for most people should be through their web browser into Dashboards/Answers etc.
  If used in 'offline mode' then you have access to any item in the catalog, 'on-line' access should restrict to you to the items that you have permission on.
  I suggest that you review the catalog manager section of the Presentation Services Administration guide and particularly note the need to take backups before you make changes as there is no 'undo' available!

• Webserver - setting permissions for Custom Sites

  Quick q on setting permissions for custom sites default. Default home for custom (non-default) web site is:
  /Library/Server/Web/Data/Sites/ 
  and whatever subdirectory you stipulate, e.g. MyServer - or whatever.
  Server sets this as owner:
  drwxrwxr-x   7 root  admin  238 Mar  8 15:34 CustomSitesDefault
  drwxrwxr-x  16 root  admin  544 Mar  8 15:38 Default
  For security, shouldn't the permissions and ownership be changed - to some webamin user WITHOUT root privs? Or will this break Lion Server? Thanks.

  Hello,
  One option would be to disable the automatic Project Site Sync in the User Sync Settings Page, create custom permission levels and groups on your SharePoint Project site template(s) to meet your requirements - make use of default SharePoint groups where
  possible, save the new template(s) and attach the new templates to the EPTs. Then develop a Project Server event handler that adds the users to the Project Site on the Publish event (or what ever event you like). The project owner one is simple - just add
  the project owner to the new SharePoint group, project members - just read the project team and add those users and the visitors just add a domain AD group (Domain Users for example) to that group.
  Default Project Server sync settings / site permissions can be seen here:
  http://technet.microsoft.com/en-gb/library/cc197668(v=office.14).aspx
  Paul
  Paul Mather | Twitter |
  http://pwmather.wordpress.com | CPS

• PackageMaker: Set Permissions on Applications Subdirectory

  Hello everyone --
  I'm new to the Apple package making process and running into some interesting issues. I developed a series of scripts wrapped into Automator applications which I want to deploy to a subdirectory of Applications (ex /Applications/Mypp/). I have each component Destination set to this path. One of the components in the package is itself an Automator application which performs some auxiliary functions. This auxiliary application is triggered to run after all components are deployed to the /Applications/MyApp directory via a Postinstall "Open File" action.
  Issue: The package does everything I expect when deploying to Leopard systems either locally (double-click the pkg file and install manually) or remotely (via ARD). However, the package does NOT behave as expected when deploying to a Snow Leopard system. The specific issue is that the package is creating the subdirectory in Applications with unexpected ownership and permissions; ownership: [alternate local admin]:wheel, permissions 700. With these permissions, the auxiliary applications do not have permission to execute. The auxiliary apps and scripts are copied into the /Applications/MyApp subdirectory with the chmod permissions I set in PackageMaker.
  I believe the way out of this debacle is to use a Preinstall script. I tried implementing a Preinstall script by writing a Bash script (named preflight, set chmod ug+x) containing the following:
  #!/bin/bash
  /bin/mkdir /Applications/MyApp
  /bin/chmod 775 /Applications/MyApp
  The script Destination is /private/tmp, is copied there successfully, but is not executing as expected.
  I think that the solution to this problem is somewhere in the nuance of the Preinstall or preflight process, but I'm unable to figure this out.
  I am using PackageMaker v3.0.3 on OS X Server 10.5.8 to build the package. Target systems are Snow Leopard 10.6.4.
  Any clues? I know I've seen some people complaining about PackageMaker, but I refuse to give up and use a .dmg unless absolutely necessary.

  mdecheser wrote:
  I'm new to the Apple package making process and running into some interesting issues. I developed a series of scripts wrapped into Automator applications which I want to deploy to a subdirectory of Applications (ex /Applications/Mypp/). I have each component Destination set to this path.
  Set the component destination to just /Applications and have MyApp as part of your component. Then it should honor whatever permissions you have set in your source.
  Any clues? I know I've seen some people complaining about PackageMaker, but I refuse to give up and use a .dmg unless absolutely necessary.
  I wouldn't consider that any admission of defeat. Apple itself has stopped recommending the use of Package Maker. http://developer.apple.com/mac/library/documentation/DeveloperTools/Conceptual/S oftwareDistribution/Overview/Overview.html
  The nature and structure of your product determine the install experience you can provide to its
  users. If your product is a self-contained application (one that doesn’t need to install components
  at different locations in the file system), you can distribute it as a single file or folder. Users then
  can drag the product from its container or delivery vehicle to a location of their choice in their file
  systems. This type of installation process is called manual install. This is the preferred method of
  delivering applications to Mac OS X users.
  However, there are situations that require more complex products. For example, some applications
  require the presence of shared resources such as frameworks or fonts, which, in general, reside at
  /Library/Frameworks and /Library/Fonts, respectively. Each item that resides at a distinct location
  on the file system is known as a component. To make it easy for users to install a multicomponent
  product, instead of making users place each component in the appropriate location you develop an
  appealing install that frees users from that tedious and error-prone task. To that end, the Installer
  application (/Applications/Utilities) uses a simple interface to guide users through the process of
  installing multicomponent products. This type of installation process is known as a managed
  install.
  You use PackageMaker (/Developer/Applications/Utilities) to develop a managed install.

• Set Permissions problem with DW

  Is there an issue with DW (I am using DW CS4) setting permissions for folders or files? I tried setting permissions to a couple of files in DW by right-clicking the file. The File Access Properties dialog box appears, I set permissions, click OK, and assume the permissions are set. But when I check the permissions again by right-clicking the file, none of the permissions I set remained set according to the dialog box. So, I have been setting permissions using Cpanel. After setting permissions for files in Cpanel, I double-check the permissions and they seem to be set. Then going back to DW, the permissions are not set according to DW's File Access Properties dialog box.
  Can anyone enlighten me on this situation?

  Is there an issue with DW (I am using DW CS4) setting permissions for folders or files? I tried setting permissions to a couple of files in DW by right-clicking the file. The File Access Properties dialog box appears, I set permissions, click OK, and assume the permissions are set. But when I check the permissions again by right-clicking the file, none of the permissions I set remained set according to the dialog box. So, I have been setting permissions using Cpanel. After setting permissions for files in Cpanel, I double-check the permissions and they seem to be set. Then going back to DW, the permissions are not set according to DW's File Access Properties dialog box.
  Can anyone enlighten me on this situation?

• Why can't Firefox set permissions for Snow Leopard Server Web-Site Wikis

  I've established a web-site for collaboration of planning for a state-wide NGO and a local citizens-government oversight commission.
  I'm using Snow Leopard Server v10.6.4, to drive the web-site, which includes the use of wikis.
  In creating a wiki and setting permissions, I find that I cannot set permissions for users or groups to 'read only' from the default 'read & write' while using Firefox. However, I CAN set them to 'read only' using Safari. And, once the permission has been modified in Safari, THEN it can be modified in Firefox.

  Solution found at http://michaeljin.wordpress.com/2010/01/05/locked-out-of-mac-os-x-server/
  It’s blog update time! Updates have been a little scarce lately, been super busy with getting trophies on PS3
  Anyway, recently encountered the following with a Mac mini server running Snow Leopard Server:
  Despite being able to ARD / Screenshare the Mac mini, I was unable to get any further than the login window. Authentication credentials are obviously valid. No weird access permissions have been set. However, the weird thing was, I can connect to the server via Server Admin tools (from another Mac) and all other services were running without a hitch.
  After much head scratching it turns out to be a sACL (Service Access Control List) issue.
  This thread solved the mystery!
  http://discussions.apple.com/thread.jspa?threadID=1654864
  To save you the trouble, I’ll lay it out here. I cannot take credit for this, but Randall can!
  Open Server Admin on a computer (any), and connect with the local admin to the machine.
  Select the server and authenticate.
  Select Settings, then go to Access. You’ll want to make sure that Login Window and SSH have the local admin account listed if you select the option to “Allow only these users”. For now, I would suggest making sure all services have “Allow all users and groups” selected.
  If (as in my case) it was set to Allow All in the first place, simply toggle the settings – back and forth.
  Save.
  Try logging in again… should be a good one!

• Please help setting permissions on a Public folder

  I've just migrated from a G4 running 10.4.x to a Mac Pro running 10.5.1, and now when I create files/folders on a Public folder located on a Xserver, I can't set permissions to allow everyone to Read & Write.
  Here's what's happening. Let's say I create a new folder in the Public folder and select Get Info to change the permission to allow everyone to Read & Write. The folder starts with the permissions as g42 (my account) "Read & Write", admin "Read only", everyone "Read only". If I click to change the Privileges of "everyone" to Read & Write, all of a sudden g42's Privileges change to "No Access", admin disappears and everyone (which I had selected as Read & Write) changes to "No Access". And the folder icon now has a minus symbol on the lower right corner.
  With that said, lets say I try and correct this by clicking the Privileges of g42 to "Read & Write". Nothing happens. I then try and correct the Privileges of everyone to "Read & Write". After doing this the list of permissions is osxserver "No Access", (unknown) "Read & Write", everyone "Read & Write". And the folder still has a minus symbol on the lower right corner.
  I'm sorry if this is confusing but it's just as confusing to me and I can't figure out what I'm doing wrong.
  I Can set all the correct permissions if I do it via the Xserver. But I don't want to have to do this everytime I create a file/folder. And no one else connected to the network, running 10.4.x, has this problem which makes me think its a Leopard problem.
  Any suggestions? Need me to clarify anything?
  Thanks.

  Hey Aaron...
  I just ran thru this with my nephew at college who wanted to share .mp3 files with his roomies, and yes, I'm afraid it's all about permissions.
  In a way, Apple has made this a bit harder than it needs to be.
  1. You could create a new user for your computer, say User1, and let all your co-workers log in as that user, and they would have access to the all the docs in User1's home folder, including the ability to create, edit, move, and delete files. The problem here is that you'll be logged in as "you", and won't have the same priviledges, and no amount of manual changing of permissions will make this easier.
  2. If you have a spare HD(they are pretty cheap), you can add that to your computer, and set the the permissions to "Ignore". Your co-workers can log in to your computer as Guest, and have access to all the docs on that drive, and you will as well, since docs on that drive respond to permissions issues.
  3. The last option would be if you have an older, spare Mac to set up as a file server. Create a user for it, and you and your co-workers can log in as that user (all at the same time) and see, edit, and delete docs on the computer.
  BUT, as far as I know, I have tried numerous times to do what you want to do, and can't get it to work. Unless you don't have any "secrets" on your computer, you could give your co-workers your username and password, they log into your computer and have access to all the docs in your home folder.... but ALL the docs... anything and everything in your home folder will be available for perused by anyone logged in with your username. LIkewise, establishing a 2nd user on your computer only goes most of the way to a solution, since you can't (easily) be logged in as both users and create, open, edit, save and delete docs.
  I suppose there may be a script out there that will automatically change permissions on the fly, but I'm unaware of any.
  Hope this helps.

• How to set permissions for folder?

  Dear all,
  How can iset permissions for a particular folder?
  I am creating new folders for new users  who access the program. 
  Is there any way yo set permissions so that no one is able to edit the name of the folder ?
  Thanks,
  Ritesh

  Hi Ritesh,
  Thanks for the post and I hope your well today.
  You can programmatically change the Read Only and Hidden Status of a file
  in labview using the DOS prompt from LabVIEW - called
  System.Execvi.
  Here are some links regarding the DOS commands you can use,
  http://www.ss64.com/nt/subinacl.html
  http://www.ss64.com/nt/cacls.html 
  So I beleive you could find a DOS command which could alter the editting properties of the name..
  Another way to prevent the user altering the file would be to change
  the user permission's in windows.. but it could affected the code and
  most IT departments would not allow this.
  Hope this helps,
  Kind Regards
  James Hillman
  Applications Engineer 2008 to 2009 National Instruments UK & Ireland
  Loughborough University UK - 2006 to 2011
  Remember Kudos those who help!

• Error in setting permissions on file/directory $ORACLE_BASE/jre/1.1.8/LICEN

  Hi,
  On installing Oracle 9.2 on RedHat Linux release 4, I encounterd the
  following error:
  Error in setting permissions on file/directory
  $ORACLE_BASE/jre/1.1.8/LICENSE
  This error is encountered at the inital stage of installation after inputing all the
  required settings in the OUI. and at the Installing Java Runtinme Environment 1.1.8.1.0
  Could someone tell me why it happened and how to fix it? Your help is
  much appreciated.
  There was a post on this topic only in here and said to change the permissions of the
  ORACLE_BASE .......... I have tried out all these and all the permissions and the environment settings are correct but i'm not able to proceed with the installation even after a lot of trying.
  All you guys help is verry verry appreciated..........
  Thanks,

  Do the following and post the results:
  cd $ORACLE_BASE
  pwd
  ls -al
  cd jre
  pwd
  ls -al
  cd 1.18
  pwd
  ls -alI can't imagine anyone making recommendations without seeing what you've done.