Converting bytes to knowledge

Set ownership on user profile or home folders script





After spending half a day to create a Powershell script to set owner rights on the home folders of our users, I found out Powershell is unable to set owner permissions by showing the error “The security identifier is not allowed to be the owner of this object” every time.

So the Powershell script below won’t work for me and I decided to try it the old fashion way: cmd with icacls.

In no less then a hour I had a working script with just three effective lines. The cmd script first creates a list of user folders and puts them in a text file. Then each line from the text file is being read and by using icacls the ownership of each folder is changed to the appropriate user. The only condition is that your user folder name must be the same as the user account, which is usually the case with user folders such as home or profile folders.

CMD script:

@echo off

REM Create list of folders
dir /a:d /b X:\users >C:\temp\users.txt

REM Read each line from just created text file...
for /f "tokens=*" %%G in (C:\temp\users.txt) do (

REM ...and set ownership for each folder
icacls "X:\Users\%%G" /setowner "domainname\%%G"

echo.

)

Powershell script:

# Home drive folder
$homeDrivesDir="X:\Users"

# Your domain name
$domainName = "domainname"

#Save work directory
pushd .

# Location homedrive
set-location $homeDrivesDir

# For every folder in the $homeDrivesDir folder
foreach($homeFolder in (Get-ChildItem $homeDrivesDir | Where {$_.psIsContainer -eq $true})) {

 # Place ACL in a variable
 $Acl = (Get-Item $homeFolder).GetAccessControl("Access")

 Write-host "Settings rights for:" $homeFolder

 # Create the Access Rule
            $acct=New-Object System.Security.Principal.NTAccount($domainName,$homeFolder.name)

 Write-host "Owner of folder will be:"	$acct
 Write-host ""

 # Apply the access rule to the ACL
 $Acl.SetOwner($acct)
 Set-Acl $homeFolder.FullName $Acl
 Get-Acl $homeFolder.FullName  | Format-List

}

# Cleanup
popd


7 Comments

  1. Ahrum's Gravatar Ahrum
    March 2, 2012    

    Thanks Paolo for a gloriously simple yet effective CMD file. I too spent ages trying to do it in powershell (it was my first attempt at using powershell) to no avail. In the end I used your script and made the following amendment to set ownership recursively through the home folders

    @echo off

    REM Create list of folders
    dir /a:d /b X:\Home >C:\Temp\users.txt

    REM Read each line from just created text file…
    for /f “tokens=*” %%G in (C:\Temp\users.txt) do (

    REM Set ownership for each home folder
    icacls “X:\Home\%%G” /setowner “DOMAIN\%%G”

    REM Create a list of all files and sub-folders in the users home folder
    del c:\Temp\FileList.txt /q
    dir X:\Home\%%G\*.* /b /s >c:\Temp\FileList.txt

    REM Read each line from just created filelist and set ownership
    for /f “tokens=*” %%F in (c:\Temp\FileList.txt) do (icacls “%%F” /setowner “DOMAIN\%%G”)

    echo.

    )

    • Paolo's Gravatar Paolo
      March 2, 2012    

      You’re welcome, Ahrum. Thanks for sharing your modifications.

  2. May 7, 2012    

    Setting the owner through icacls does update the owner field in the file/folder’s metadata, but it does not update the ACL’s “Creator Owner” ACE. So if you apply permission based on that ACE, it will not be updated. You have a few options, using subinacl from the Windows Resource Kit is MS’s recommended way of doing this. You could avoid the “Creator Owner” ACE, but it’s extremely convenient to use. You could also set the Creator Owner ACE after updating the Owner field, but this doesn’t allow you to take advantage of ACL inheritance, with is another major inconvenience.

  3. colin's Gravatar colin
    July 26, 2012    

    Thanks for sharing this script, came in very handy. I modified slightly to assign a specific AD group Modify access to User Home folders.

  4. DavidJuddDove's Gravatar DavidJuddDove
    August 22, 2012    

    From other investigations, I’d say that the PowerShell Set-Owner would work on a UNC path but not local storage (which is what most people try). Thanks for the alternative batch file.

  5. Jesse's Gravatar Jesse
    December 22, 2014    

    This was helpful. Thank you.

  6. August 31, 2015    

    I have a batch file that I use for fixing my home folders permissions and setting the user as the owner.
    This assumes that the home folder for each user matches the samid
    I have the batch file in the home folder directory \\server\users$\
    here are the lines from the batch file:

    @Rem reset permissions to inherit from the users folder
    for /d %%a in (*.*) do icacls %%a /reset /T /C

    @Rem Give full control to the user of their folder
    for /d %%b in (*.*) do icacls %%b /grant %%b:(OI)(CI)(F)

    @Rem sets each user as the owner of their folder
    for /d %%c in (*.*) do icacls %%c /setowner domainname\%%c /T /C

Leave a Reply

Your email address will not be published. Required fields are marked *


nine − four =

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

 

Subscribe here

Get those newest bytes by signing up here!
Name
Email *