0

The following bat file is being used to fix permissions for Users in our organization. Everything works perfectly until we try to set the owner back to the user.

takeown /F F:\Users\First.Last /R

icacls "F:\Users\First.Last" /grant:r system:(oi)(ci)f /t /c /Q
icacls "F:\Users\First.Last" /grant:r "Group admins":(oi)(ci)f /t /c /Q
icacls "F:\Users\First.Last" /grant:r "Domain admins":(oi)(ci)f /t /c /Q
icacls "F:\Users\First.Last" /grant:r "CREATOR OWNER":(OI)(CI)F /T /C /Q
icacls "F:\Users\First.Last" /grant:r First.Last:(oi)(ci)f /t /c /Q

icacls "F:\Users\First.Last" /remove:g "everyone" /T /C /Q
icacls "F:\Users\First.Last" /remove:g "administrators" /T /C /Q
icacls "F:\Users\First.Last" /remove Everyone /T /C /Q

icacls "F:\Users\First.Last" /setowner First.Last /c /t /Q

Here is the line that doesn't work in a bat file. It works perfectly fine when typing it into a Command Prompt:

icacls "F:\Users\First.Last" /setowner First.Last /c /t /Q

doesn't work in my bat file.

Is there another way to remove myself?

I applied fix Fix201044 from Microsoft's website and same result.

I am comfortable with using VBScript, PowerShell, Bat.

I am not comfortable with having to install 3rd party software that requires reboot or beta software.

enter image description here

software is fun
  • 306
  • 3
  • 6
  • 14
  • didn't you ask this same question last week? I don't see it but I could've sworn it was already asked. And why do you care who the Owner is of the files/folders? It's perfectly acceptable for the Owner to be "Administrators" or similar. – TheCleaner Aug 12 '14 at 15:38
  • It's the policy for my work. I did ask last week but details were left out so I had to delete the question and I reworded it as per ServerFault admins. – software is fun Aug 12 '14 at 15:43
  • You state that the /remove:g domain\admin.account is the line failing but your error pic shows the /setowner failing. Is it both that are failing? – TheCleaner Aug 12 '14 at 15:49
  • both are failing – software is fun Aug 12 '14 at 15:58
  • Why not set the owner as the first line and then remove the other permissions? Also, are you logged onto the server as a local account or a domain account? I'm also curious why the Home folders are like this...using the Profile tab in ADUC will automatically grant them full control and everyone else would have no access other than Domain Admins and Local server admins. I have no way to test your script without building up a test VM, just trying to help think it through. – TheCleaner Aug 12 '14 at 17:45
  • I did take ownership with the 1st line. Im logged in as a domain account on the server. Why is it like this? No idea. This is how it was when I started working here 10 years ago. Upper management wont change unless I have a compelling reason to do it. – software is fun Aug 12 '14 at 18:07

1 Answers1

1
$HomeDir = "F:\Users\First.Last"
$objUser = New-Object System.Security.Principal.NTAccount "DOMAIN\first.last"
$ACL = Get-Acl -Path $HomeDir
$acl.SetOwner($objUser)
Set-ACL -Path $HomeDir -AclObject $ACL

This should set the Ownership for you using Powershell. I'm assuming this is in a domain environment

Wes Holton
  • 11
  • 3