After spending half a day to create a Powershell script to set owner rights on the home folders of our users, I found out Powershell is unable to set owner permissions by showing the error “The security identifier is not allowed to be the owner of this object” every time.
So the Powershell script below won’t work for me and I decided to try it the old fashion way: cmd with icacls.
In no less then a hour I had a working script with just three effective lines. The cmd script first creates a list of user folders and puts them in a text file. Then each line from the text file is being read and by using icacls the ownership of each folder is changed to the appropriate user. The only condition is that your user folder name must be the same as the user account, which is usually the case with user folders such as home or profile folders.
CMD script:
@echo off REM Create list of folders dir /a:d /b X:\users >C:\temp\users.txt REM Read each line from just created text file... for /f "tokens=*" %%G in (C:\temp\users.txt) do ( REM ...and set ownership for each folder icacls "X:\Users\%%G" /setowner "domainname\%%G" echo. )
Powershell script:
# Home drive folder $homeDrivesDir="X:\Users" # Your domain name $domainName = "domainname" #Save work directory pushd . # Location homedrive set-location $homeDrivesDir # For every folder in the $homeDrivesDir folder foreach($homeFolder in (Get-ChildItem $homeDrivesDir | Where {$_.psIsContainer -eq $true})) { # Place ACL in a variable $Acl = (Get-Item $homeFolder).GetAccessControl("Access") Write-host "Settings rights for:" $homeFolder # Create the Access Rule $acct=New-Object System.Security.Principal.NTAccount($domainName,$homeFolder.name) Write-host "Owner of folder will be:" $acct Write-host "" # Apply the access rule to the ACL $Acl.SetOwner($acct) Set-Acl $homeFolder.FullName $Acl Get-Acl $homeFolder.FullName | Format-List } # Cleanup popd
Thanks Paolo for a gloriously simple yet effective CMD file. I too spent ages trying to do it in powershell (it was my first attempt at using powershell) to no avail. In the end I used your script and made the following amendment to set ownership recursively through the home folders
@echo off
REM Create list of folders
dir /a:d /b X:\Home >C:\Temp\users.txt
REM Read each line from just created text file…
for /f “tokens=*” %%G in (C:\Temp\users.txt) do (
REM Set ownership for each home folder
icacls “X:\Home\%%G” /setowner “DOMAIN\%%G”
REM Create a list of all files and sub-folders in the users home folder
del c:\Temp\FileList.txt /q
dir X:\Home\%%G\*.* /b /s >c:\Temp\FileList.txt
REM Read each line from just created filelist and set ownership
for /f “tokens=*” %%F in (c:\Temp\FileList.txt) do (icacls “%%F” /setowner “DOMAIN\%%G”)
echo.
)
You’re welcome, Ahrum. Thanks for sharing your modifications.
Setting the owner through icacls does update the owner field in the file/folder’s metadata, but it does not update the ACL’s “Creator Owner” ACE. So if you apply permission based on that ACE, it will not be updated. You have a few options, using subinacl from the Windows Resource Kit is MS’s recommended way of doing this. You could avoid the “Creator Owner” ACE, but it’s extremely convenient to use. You could also set the Creator Owner ACE after updating the Owner field, but this doesn’t allow you to take advantage of ACL inheritance, with is another major inconvenience.
Thanks for sharing this script, came in very handy. I modified slightly to assign a specific AD group Modify access to User Home folders.
From other investigations, I’d say that the PowerShell Set-Owner would work on a UNC path but not local storage (which is what most people try). Thanks for the alternative batch file.
This was helpful. Thank you.
I have a batch file that I use for fixing my home folders permissions and setting the user as the owner.
This assumes that the home folder for each user matches the samid
I have the batch file in the home folder directory \\server\users$\
here are the lines from the batch file:
@Rem reset permissions to inherit from the users folder
for /d %%a in (*.*) do icacls %%a /reset /T /C
@Rem Give full control to the user of their folder
for /d %%b in (*.*) do icacls %%b /grant %%b:(OI)(CI)(F)
@Rem sets each user as the owner of their folder
for /d %%c in (*.*) do icacls %%c /setowner domainname\%%c /T /C