Takeown You do not have permission to read the contents of directory

Question

Is there a reason I get this error when taking ownership of a directory?

It works fine if I go through the permissions in the GUI, but if I try to do if from the command line I get an error that I don't have permission to read from it:

takeown /s someserver /f "r:\redirected\flast\My Documents\Music\" /u domain\user /R

You do not have permissions to read the contents of directory "\someserver\r$\redirected\flast\My Documents\My Music".

Answer 1

Google found this blog for me which seems to indicate that either you need to add a Default answer (/D [Y|N]) to the question:

"you do not have permission to take ownership, do you want to?”

/D           prompt          Suppresses the confirmation prompt that is
                             displayed when the current user does not have 
                             the "List Folder" permission on a specified 
                             directory, and instead uses the specified 
                             default value.
                             Valid values for the /d option are as follows:
                                   Y: Take ownership of the directory.
                                   N: Skip the directory.
Note that you must use this option in conjunction with the /r option.

The big caveat is that using takeown /R /D Y ... will strip out existing permissions which may not be exactly what you want or need...

The author's solution is to run takeown without the /R options and script a loop that changes ownership of each directory and any subdirectories individually instead.

Answer 2

To recursively take ownership of a directory many suggest to run takeown with options /r /D y (as does the accepted answer). But if the administrator that runs this command does not have list/read access in any subfolder, takeown will DELETE ALL EXISTING PERMISSIONS!.

The following script does not have this drawback. The only minor side-effect of this script is that in folders where MyAdmin didn't have list rights MyAdmin and SYSTEM will gain full control both on the folder and on the files it contains. The script is based on the old version of a blog post that is now missing the code, with some improvements by me.

USAGE:

Run from an elevated powershell as user MyDomain\MyAdmin and it will give ownership recursively to SYSTEM and MyDomain\MyAdmin.

Take-OwnershipRecursively "c:\somfolder" "MyDomain\MyAdmin" "c:\logfile.txt"

The script:

function Test-AllSubFolders{
    # Recursively visit all subfolders of $Folder
    # and if you get Access Denied error on any of them
    # call Take-OwnershipOfOneFolder on it
    param(
        [String]$Folder,
        [String]$MyDomain,
        [String]$MyAdmin
    )
    $error.Clear()
    $ErrorArray = @()
    (Get-ChildItem $Folder -Directory -Recurse -ErrorAction SilentlyContinue | Select FullName) > $null
    if ($error) {
        $ErrorArray = $error + $ErrorArray # '+$ErrorArray' seems silly but not sure
        foreach ($err in $ErrorArray) {
            if ($err.FullyQualifiedErrorId -eq "DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand") {
                $FailedFolder = $err.TargetObject
                echo "Access Error on '$FailedFolder', attempting to fix" 
                Take-OwnershipOfOneFolder  $FailedFolder $MyDomain $MyAdmin
                if ($FailedFolder -ne $Folder) {
                    Test-AllSubFolders       $FailedFolder $MyDomain $MyAdmin
                } else {
                    echo "FAILED for $FailedFolder"
                }
}}}}

function Take-OwnershipOfOneFolder {
    # Take ownership of $Folder (takeown.exe /A /F) and also
    # give Full Control with "ContainerInherit,ObjectInherit" to 
    # $MyDomain\$MyAdmin and SYSTEM which result in also giving 
    # full control to files/folders under $Folder
    # IT DOES NOT RECURSE TO SUB-SUBFOLDERS OF $Folder
    param(
        [String]$Folder,
        [String]$MyDomain,
        [String]$MyAdmin
    )
    echo "    Calling: takeown.exe /A /F $Folder"
    $out = (takeown.exe /A /F $Folder)
    if ($out -notlike 'SUCCESS*') {
        echo "    FAILED takeown for '$Folder' (output of takeown follows)"
        echo $out
        return
    }

    echo "    Reading ACLs"
    $CurrentACL = Get-Acl $Folder
    
    echo "    Adding ACL: FullControll to NT Authority\SYSTEM"
    $SystemACLPermission = "NT AUTHORITY\SYSTEM","FullControl","ContainerInherit,ObjectInherit","None","Allow"
    $SystemAccessRule = new-object System.Security.AccessControl.FileSystemAccessRule $SystemACLPermission
    $CurrentACL.AddAccessRule($SystemAccessRule)
    
    echo "    Adding ACL: FullControll to $MyDomain\$MyAdmin for $Folder"
    $AdminACLPermission = "$MyDomain\$MyAdmin","FullControl","ContainerInherit,ObjectInherit","None","Allow"
    $SystemAccessRule = new-object System.Security.AccessControl.FileSystemAccessRule $AdminACLPermission
    $CurrentACL.AddAccessRule($SystemAccessRule)
    
    echo "    Setting ACL"
    Set-Acl -Path $Folder -AclObject $CurrentACL
}

function Take-OwnershipRecursively() {
    # Run this from an elevated powershell as user $MyDomain\$MyAdmin and it will
    # give ownership of $Folder and all its subfolders recursively to SYSTEM and 
    # $MyDomain\$MyAdmin and it will also give Full Control to $MyDomain\$MyAdmin
    # SYSTEM on any folders where it gets Access Denied and their files and subfolders
    # (It gives "FullControl","ContainerInherit,ObjectInherit")
   param(
        [String]$Folder,
        [String]$MyDomain,
        [String]$MyAdmin,
        [String]$LogFile
    )
    Start-Transcript $LogFile
    Take-OwnershipOfOneFolder $Folder $MyDomain $MyAdmin
    Test-AllSubFolders $Folder $MyDomain $MyAdmin
    Stop-Transcript
}