How do I take ownership of folders that I already have full control permissions to using powershell?

Question

How do I take ownership of folders that I already have full control permissions to using powershell?

So I am not the owner of the folder nor do I have admin rights, but the group that I am a member of has the Full Control over the folder including the ability to "Take Ownership" and "Change Permissions". So a little bit of back story here. We have a server and we have a share drive, our IT Department has a group that has full control permissions over our share drive, but when users create new folders, by default they have owner access to it. I am trying to setup a powershell solution that runs automatically on our server and scans our share drive for folders owned by anything other than our IT Department group and then changes the owner of all of those files/folders to our IT Department group. This way when that user leaves, we can access the files without having to go higher, as we do not have admin access to the server where our share drive resides.

Here is what I have so far

    #P/Invoke'd C# code to enable required privileges to take ownership and make changes when NTFS permissions are lacking
$AdjustTokenPrivileges = @"
using System;
using System.Runtime.InteropServices;

 public class TokenManipulator
 {
  [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
  internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall,
  ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen);
  [DllImport("kernel32.dll", ExactSpelling = true)]
  internal static extern IntPtr GetCurrentProcess();
  [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
  internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr
  phtok);
  [DllImport("advapi32.dll", SetLastError = true)]
  internal static extern bool LookupPrivilegeValue(string host, string name,
  ref long pluid);
  [StructLayout(LayoutKind.Sequential, Pack = 1)]
  internal struct TokPriv1Luid
  {
   public int Count;
   public long Luid;
   public int Attr;
  }
  internal const int SE_PRIVILEGE_DISABLED = 0x00000000;
  internal const int SE_PRIVILEGE_ENABLED = 0x00000002;
  internal const int TOKEN_QUERY = 0x00000008;
  internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;
  public static bool AddPrivilege(string privilege)
  {
   try
   {
    bool retVal;
    TokPriv1Luid tp;
    IntPtr hproc = GetCurrentProcess();
    IntPtr htok = IntPtr.Zero;
    retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);
    tp.Count = 1;
    tp.Luid = 0;
    tp.Attr = SE_PRIVILEGE_ENABLED;
    retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);
    retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);
    return retVal;
   }
   catch (Exception ex)
   {
    throw ex;
   }
  }
  public static bool RemovePrivilege(string privilege)
  {
   try
   {
    bool retVal;
    TokPriv1Luid tp;
    IntPtr hproc = GetCurrentProcess();
    IntPtr htok = IntPtr.Zero;
    retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);
    tp.Count = 1;
    tp.Luid = 0;
    tp.Attr = SE_PRIVILEGE_DISABLED;
    retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);
    retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);
    return retVal;
   }
   catch (Exception ex)
   {
    throw ex;
   }
  }
 }
"@
add-type $AdjustTokenPrivileges
#example for testing
$Folder = Get-Item "C:\Temp"
#Activate necessary admin privileges to make changes without NTFS perms
[void][TokenManipulator]::AddPrivilege("SeRestorePrivilege") #Necessary to set Owner Permissions
[void][TokenManipulator]::AddPrivilege("SeBackupPrivilege") #Necessary to bypass Traverse Checking
[void][TokenManipulator]::AddPrivilege("SeTakeOwnershipPrivilege") #Necessary to override FilePermissions

#Obtain a copy of the initial ACL
#$FolderACL = Get-ACL $Folder - gives error when run against a folder with no admin perms or ownership
#Create a new ACL object for the sole purpose of defining a new owner, and apply that update to the existing folder's ACL
$NewOwnerACL = New-Object System.Security.AccessControl.DirectorySecurity
#Establish the folder as owned by BUILTIN\Administrators, guaranteeing the following ACL changes can be applied
$Admin = New-Object System.Security.Principal.NTAccount("UECDOM\IT Department Group")
$NewOwnerACL.SetOwner($Admin)
#Merge the proposed changes (new owner) into the folder's actual ACL
$Folder.SetAccessControl($NewOwnerACL)

powershell

permissions

acl

ntfs

asked on Stack Overflow Feb 28, 2020 by

Jacob Pagano

1 Answer

Get the System.Security.Principal.IdentityReference of the User/Group

Get-ChildItem -Directory -Recurse

Ignore Folders that have that IdentityReference as owner already.

Get Access Control List with Get-ACL

Change Owner with SetOwner method

Save ACL with Set-ACL

$Account = New-Object -TypeName System.Security.Principal.NTAccount -ArgumentList 'BUILTIN\Administrators'
Get-ChildItem 'C:\scripts' -Recurse -Directory | ?{ (Get-Acl $_.FullName).Owner -notlike $Account.Value} | %{
    $ACL = Get-ACL $_.FullName
    $ACL.SetOwner($Account)
    Set-Acl $_.FullName $ACL
}

answered on Stack Overflow Feb 28, 2020 by

ArcSet

User contributions licensed under CC BY-SA 3.0