SteelBytes.NeT
Converting bytes to knowledge

Set ownership on user profile or home folders script

January 24, 2012 7 Comments Written by Paolo




After spending half a day to create a Powershell script to set owner rights on the home folders of our users, I found out Powershell is unable to set owner permissions by showing the error “The security identifier is not allowed to be the owner of this object” every time.

So the Powershell script below won’t work for me and I decided to try it the old fashion way: cmd with icacls.

In no less then a hour I had a working script with just three effective lines. The cmd script first creates a list of user folders and puts them in a text file. Then each line from the text file is being read and by using icacls the ownership of each folder is changed to the appropriate user. The only condition is that your user folder name must be the same as the user account, which is usually the case with user folders such as home or profile folders.

CMD script:

@echo off

REM Create list of folders
dir /a:d /b X:\users >C:\temp\users.txt

REM Read each line from just created text file...
for /f "tokens=*" %%G in (C:\temp\users.txt) do (

REM ...and set ownership for each folder
icacls "X:\Users\%%G" /setowner "domainname\%%G"

echo.

)

Powershell script:

# Home drive folder
$homeDrivesDir="X:\Users"

# Your domain name
$domainName = "domainname"

#Save work directory
pushd .

# Location homedrive
set-location $homeDrivesDir

# For every folder in the $homeDrivesDir folder
foreach($homeFolder in (Get-ChildItem $homeDrivesDir | Where {$_.psIsContainer -eq $true})) {

 # Place ACL in a variable
 $Acl = (Get-Item $homeFolder).GetAccessControl("Access")

 Write-host "Settings rights for:" $homeFolder

 # Create the Access Rule
            $acct=New-Object System.Security.Principal.NTAccount($domainName,$homeFolder.name)

 Write-host "Owner of folder will be:"	$acct
 Write-host ""

 # Apply the access rule to the ACL
 $Acl.SetOwner($acct)
 Set-Acl $homeFolder.FullName $Acl
 Get-Acl $homeFolder.FullName  | Format-List

}

# Cleanup
popd


Powershell, Scripting, Windows 7, Windows Server 2008, Windows Vista, Windows XP
, , , , ,
Similar posts
  • MSI error code 1638: “Another v... When you try to remove an application, you receive the following error: “Another version of this product is already installed” with the error code 1638. This is a problem with minor/major versions of the installed product. When a GUID of a msi package changes (when an msi is generated for example), the product will detect itself [...]
  • Enable or disable Outlook add-ins on ... There are certain scenario’s where you want to enable Outlook add-ins only for specific users. This guide explains how to accomplish this by using the group policy. 1. Open the registry and navigate to: HKCU\Software\Microsoft\Office\Outlook\Addins 2. Find the corresponding key which matches the Outlook add-in you have installed (for example: HKCU\Software\Microsoft\Office\Outlook\Addins\OcOffice.OcForms) 3. Right-click on the [...]
  • How to reset / bypass the administrat... Last time I had to rejoin a machine to the domain and apparently some nutjob administrator didn’t use the documented password for the local administrator account. So with no option to log on to the machine locally, I had to follow the steps below. Basically, you replace the executable used for Accessibility options showed in [...]
  • Cluster Shared Volume not accessible ... When you try to access the Cluster Shared Volume from a cluster node which is not the current owner, the Windows Explorer may hang on opening the ClusterStorage folder. You cannot access the shared volume. You receive the following error in the event log: ‘Cluster Shared Volume…’ is no longer available on this node because [...]
  • Install print driver .inf file from c... Sometimes you just want to add a printer driver to your Windows client. For example for USB connected printers so you don’t have to manually select the print driver every time connecting the printer to a new client. The following command line can be used in a batch file to automate the driver installation: rundll32 [...]

7 Comments

  1. Ahrum Ahrum
    March 2, 2012    

    Thanks Paolo for a gloriously simple yet effective CMD file. I too spent ages trying to do it in powershell (it was my first attempt at using powershell) to no avail. In the end I used your script and made the following amendment to set ownership recursively through the home folders

    @echo off

    REM Create list of folders
    dir /a:d /b X:\Home >C:\Temp\users.txt

    REM Read each line from just created text file…
    for /f “tokens=*” %%G in (C:\Temp\users.txt) do (

    REM Set ownership for each home folder
    icacls “X:\Home\%%G” /setowner “DOMAIN\%%G”

    REM Create a list of all files and sub-folders in the users home folder
    del c:\Temp\FileList.txt /q
    dir X:\Home\%%G\*.* /b /s >c:\Temp\FileList.txt

    REM Read each line from just created filelist and set ownership
    for /f “tokens=*” %%F in (c:\Temp\FileList.txt) do (icacls “%%F” /setowner “DOMAIN\%%G”)

    echo.

    )

    Reply
    • Paolo Paolo
      March 2, 2012    

      You’re welcome, Ahrum. Thanks for sharing your modifications.

      Reply
  2. Chris S Chris S
    May 7, 2012    

    Setting the owner through icacls does update the owner field in the file/folder’s metadata, but it does not update the ACL’s “Creator Owner” ACE. So if you apply permission based on that ACE, it will not be updated. You have a few options, using subinacl from the Windows Resource Kit is MS’s recommended way of doing this. You could avoid the “Creator Owner” ACE, but it’s extremely convenient to use. You could also set the Creator Owner ACE after updating the Owner field, but this doesn’t allow you to take advantage of ACL inheritance, with is another major inconvenience.

    Reply
  3. colin colin
    July 26, 2012    

    Thanks for sharing this script, came in very handy. I modified slightly to assign a specific AD group Modify access to User Home folders.

    Reply
  4. DavidJuddDove DavidJuddDove
    August 22, 2012    

    From other investigations, I’d say that the PowerShell Set-Owner would work on a UNC path but not local storage (which is what most people try). Thanks for the alternative batch file.

    Reply
  5. Jesse Jesse
    December 22, 2014    

    This was helpful. Thank you.

    Reply
  6. Paul Kochei Paul Kochei
    August 31, 2015    

    I have a batch file that I use for fixing my home folders permissions and setting the user as the owner.
    This assumes that the home folder for each user matches the samid
    I have the batch file in the home folder directory \\server\users$\
    here are the lines from the batch file:

    @Rem reset permissions to inherit from the users folder
    for /d %%a in (*.*) do icacls %%a /reset /T /C

    @Rem Give full control to the user of their folder
    for /d %%b in (*.*) do icacls %%b /grant %%b:(OI)(CI)(F)

    @Rem sets each user as the owner of their folder
    for /d %%c in (*.*) do icacls %%c /setowner domainname\%%c /T /C

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *


× eight = seventy two