change the owner of directories with powershell

Topics: Developer Forum, Project Management Forum, User Forum
May 28, 2010 at 9:39 AM

Hi,
I'm trying to change the owner of multiple directories and also change permissions. I am able to successfully change the permissions by getting the acl on the dir/file, creating a file system access rule, adding the rule and
then setting the acl. For setting the owner, I get-acl on the filename, create an NTAccount, translate into security identifier to make sure the account is valid, then I use SetOwner on the acl, and invoke set-acl which fails with the following error: "Set-Acl : The security identifier is not allowed to be the owner of this object". Here is an example of my code for setting the owner:


$acl = Get-Acl -path $fileName
$account = New-Object System.Security.Principal.NTAccount("DomainExample",$userName)
$accountSid = $account.Translate([System.Security.Principal.SecurityIdentifier])
$acl.SetOwner($account) // this works ok and sets the owner in memory I
suppose Set-Acl -path $fileName -aclObject $acl // this fails with the error
mentioned above

I am running the PowerShell terminal as a user who has permissions to give
ownership. Also if I use the Windows GUI, it works fine. Any ideas/help will
be greatly appreciated.

Developer
May 28, 2010 at 4:26 PM
I believe you'll have to enable the SeBackupPrivilege first before you can set the owner of a file to be someone other than yourself. With an elevated shell:
 
PS C:\Windows\system32> ipmo pscx
PS C:\Windows\system32> $p = get-privilege
PS C:\Windows\system32> $p.Enable("sebackupprivilege")
PS C:\Windows\system32> Set-Privilege $p
PS C:\Windows\system32> get-privilege
Name                                     Status
----                                     ------
SeIncreaseQuotaPrivilege                 Disabled
SeMachineAccountPrivilege                Disabled
SeSecurityPrivilege                      Disabled
SeTakeOwnershipPrivilege                 Disabled
SeLoadDriverPrivilege                    Disabled
SeSystemProfilePrivilege                 Disabled
SeSystemtimePrivilege                    Disabled
SeProfileSingleProcessPrivilege          Disabled
SeIncreaseBasePriorityPrivilege          Disabled
SeCreatePagefilePrivilege                Disabled
SeBackupPrivilege                        Enabled  <<<<<<
SeRestorePrivilege                       Disabled

This should give you the neccessary rights to set the owner. The reason you need backup rights is because you are subverting the auditing; normally you can only give someone the right to _take_ ownership back.
 
-Oisin
 
On Fri, May 28, 2010 at 5:39 AM, djvantob <notifications@codeplex.com> wrote:

From: djvantob

Hi,
I'm trying to change the owner of multiple directories and also change permissions. I am able to successfully change the permissions by getting the acl on the dir/file, creating a file system access rule, adding the rule and
then setting the acl. For setting the owner, I get-acl on the filename, create an NTAccount, translate into security identifier to make sure the account is valid, then I use SetOwner on the acl, and invoke set-acl which fails with the following error: "Set-Acl : The security identifier is not allowed to be the owner of this object". Here is an example of my code for setting the owner:


$acl = Get-Acl -path $fileName
$account = New-Object System.Security.Principal.NTAccount("DomainExample",$userName)
$accountSid = $account.Translate([System.Security.Principal.SecurityIdentifier])
$acl.SetOwner($account) // this works ok and sets the owner in memory I
suppose Set-Acl -path $fileName -aclObject $acl // this fails with the error
mentioned above

I am running the PowerShell terminal as a user who has permissions to give
ownership. Also if I use the Windows GUI, it works fine. Any ideas/help will
be greatly appreciated.

Read the full discussion online.

To add a post to this discussion, reply to this email (Pscx@discussions.codeplex.com)

To start a new discussion for this project, email Pscx@discussions.codeplex.com

You are receiving this email because you subscribed to this discussion on CodePlex. You can unsubscribe or change your settings on codePlex.com.

Please note: Images and attachments will be removed from emails. Any posts to this discussion will also be available online at codeplex.com




--

---
404 signature missing