Skip to main content

Owner and ACL Rule Rewrite (Top Down Access/Fix)

DISCLAIMER: The information in this guide is provided "as is" without any guarantee of completeness, accuracy, timeliness, or of the results obtained from the use of this information. The author assumes no responsibility for any errors or omissions in the content. It is meant for general information purposes only and should not be used as a substitute for professional advice. The author is not responsible for any damages caused by the use of this information. By using this guide, you agree to hold the author harmless from any and all claims, damages, or expenses that may arise from your use of the information.

Introduction

This script was originally created to fix file permissions issues that were slowing down a client migration robocopy migration. The script targets all sub-folders within a given folder path ($folderPath) and changes the folder "Owner" and adds/updates the ACL rules for a given list of users ($newUsers).

The following is a list of actions/changes for each targeted folder:

The term "first-level" folder is relative to the $folderPath value. For example, if the $folderPath = "D:\Data\Management" a first-level folder would be "D:\Data\Management\Accounts" or "D:\Data\Management\Staff".

  1. The folder Owner is changed to match the currently logged in user. Using the logged in user is a limitation ("security feature") with takeown.exe. The Owner is applied recursively to the folder and all sub-folders.
    1. Ensure that the user running the script is an administrative user.
    2. There is no variable for the user, takeown.exe references the currently logged in user running the command.
    3. However, there is one exception, if the local Administrators group needs to be assigned as the owner, the /A switch can be used in the argument list for takeown.exe.
  2. The Access Control List (ACL) rules will be updated to grant "Full Control" to a specified list of users, represented by the variable $newUsers. If ACL rules for a user already exist, they will be modified to grant "Full Control". All ACL rules, including both newly added/updated rules and existing rules, will be applied recursively to the main folder and all its sub-folders.
  3. However, existing ACL rules for the current users will remain unchanged, ensuring that their access is not disrupted.
  4. For the first-level folders under the path specified in the variable $folderPath, inheritance will be disabled. As a result, these folders will no longer inherit permissions from their parent folder.
  5. On the other hand, all folders beyond the first-level will retain inheritance from their parent folder, preserving the existing permission hierarchy.

Requirements

  • Windows Machine w/ Administrative Rights.
  • PowerShell.
  • takeown.exe (comes with Windows).

Instructions

<##################################################################################################
 SCRIPT INFORMATION
##################################################################################################>

# Script Name    : Rewrite Owner and ACL Rules (Top Down Access/Fix)
# Script Version : 2023.06.08
# Script Author  : Marthur Jones

# IMPORTANT NOTE: The script will change the owner based on the logged in user running this script.
# Ensure that the user runing the script is using an administrator account. This is due to 
# limitations with the takeown.exe utility that is used in the script.

<##################################################################################################
 MODIFY THE FOLLOWING REQUIRED VARIABLES AS NEEDED
##################################################################################################>

$folderPath = "M:\"                                        # Target folders in this location.
$newUsers   = @("Test1","Administrators")                  # Full Control ACL rule access.
$folderList = Get-ChildItem -Path $folderPath -Directory

###################################################################################################

# Create a folder list for the script to loop through.
$folderList = Get-ChildItem -Path $folderPath -Directory

# Loop through each folder.
foreach($folder in $folderList) {

    # OWNERSHIP CHANGES:
    # Use takeown.exe to recursively change folder ownership
    # /F Specifies the path to the folder.
    # /A Specifies that the command should assign ownership to the administrators group. 
    #    Otherwise, the current logged in user will be assigned.
    # /R Recursively takes ownership of all files and subfolders within the specified folder.
    # /D Y Responds "Yes" to any prompts that would normally appear when taking ownership.
    takeown.exe /F $folder.FullName /R /D Y

    $acl = Get-Acl -Path $folder.FullName

    foreach ($newUser in $newUsers) {

        # PERMISSION CHANGES:
        # Add a new access rule for the $newOwner with desired permissions.
        # "FullControl": This is a string that represents the desired access control for the $newOwner.
        #   In this case, it specifies "FullControl," which means the new owner will have full control over the file or directory.
        # "ContainerInherit, ObjectInherit": This is a string that represents the inheritance flags for the access rule. 
        #   In this case, it specifies that the access rule should be inherited by child objects within a container and also by child objects that are created in the future.
        # "None": This is a string that represents the propagation flags for the access rule. 
        #   In this case, it specifies that the access rule should not be propagated to child objects.
        # "Allow": This is a string that represents the access control type for the rule. 
        #   In this case, it specifies that the access rule allows access rather than denies it.
        $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($newUser, "FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
        $acl.AddAccessRule($accessRule)

        # Disable inheritance and copy existing permissions to the folder.
        $acl.SetAccessRuleProtection($true, $true)

        # Set the modified ACL back to the folder.
        Set-Acl -Path $folder.FullName -AclObject $acl
    }
}

Sources

KB Change/Issue Log

2023/06/10 - General Notes for Possible Future Changes.

Issue

The script currently processes folders at the first-level. The script does not take into account files at the first-level. In the future it may be beneficial to include files as well. If this is the case, file and folder permissions will need to be compared as the ACL properties, such as ContainerInherit are most likely not going to be applicable to file ACL properties.

Solution

This has not been implemented yet and the changes will remain pending, until needed. However, the following steps are something to consider if this feature is needed:

  1. Remove -Directory switch from Get-ChildItem cmdlet.
  2. Include if statement to identify a folder vs file type.
  3. Review folder vs file ACL properties to compare properties parity.

KB Meta

Page Includes @9#bkmrk-callout-danger-NoResponsibilityDisclaimer-5wod5ufe
Back to top