Take or give ownership of a folder that isn't accessible by the local admin group

Topics: Developer Forum, User Forum
May 6, 2009 at 8:24 AM

I've made a script to give ownership to the user's redirected home folder and profile folder to the user. I've managed to give the ownership to the user using the pscx extentions when I (domain admin and member of the builtin\administrators group) have rights to the folder. However when I don't have any rights to that folder I can't even get the acl. An example:

\\fileserver\username$\ is the home directory of a user. I can't access this folder through the manual way (on the server itself, logged in as administrator), when I click "Security" I get the warning "You do not have permission to view or edit the current permission settings for USERNAME, but you can take ownership or change auditing settings". So I can take ownership manually. However I'd like to take ownership or give ownership to the BUILTIN\Administrators group through a script so I can eventually give ownership to the user (obviously giving ownership to the user and giving full control the the BUILTIN\Administrators would be good too, but I guess I'll have to take ownership first).

The error I get and the command I get it on:
Get-Acl : Attempted to perform an unauthorized operation.
At C:\DOCUME~1\bramverm\LOCALS~1\Temp\40744dd5-bb4f-4cce-9d06-f7e0c5f2b8ea.ps1:
132 char:26
+     $aclProperties = get-acl  <<<< $homeDir

$homeDir is a string with a regular UNC path as the one mentioned above.

I've used these lines to enable pscx:

$SeRestore = new-object Pscx.Interop.TokenPrivilege "SeRestorePrivilege", $true
Set-Privilege $SeRestore

How can I change the ownership when I can't get the acl? I've tried getting the acl from another dir and setting it on the dir that I can't access but then I just get the error on the set-acl command.
I reckon since I can take ownership manually on the server itself there should be a way to take ownership through a script aswell, or am I wrong?

Thanks in advance,

May 6, 2009 at 3:11 PM
If you are on Vista or Server 2008, it comes with TakeOwn.exe.  Check out the /A option to give ownership to the administrators group.  As the error message indicates, you won't be able to view (use Get-Acl) until you either take ownership or impersonate that user.
May 6, 2009 at 3:15 PM
Edited May 6, 2009 at 3:16 PM
The clients from which the script will be run is XP Pro, the file server is Windows 2003. So takeown.exe probably won't work.
However I've had success using SubInAcl just now so the script runs, just too bad I can't use just powershell. :)

Thanks for your response either way.