How do I change the owner of a folder with Powershell when Get-Acl returns "Access Denied"?

Asked 21/11, 2011 at 18:20 Answered 16/8, 2017 at 16:10

I have a question about Get-Acl in Powershell. I keep getting the error message, "Access to the path is denied". I want to change the owner of the folder to myself and then give myself full permissions to the folder using Powershell. Here's the line of code giving me the error:

$acl = Get-Acl "C:\SomeFolder"

I am using Windows Explorer to set the permissions on "SomeFolder" before running the script. They are as follows:

no entries in the access control list
owner is not myself

I do not receive the error message if I make myself the owner using the Windows Explorer GUI before running the Powershell script. I don't understand why I am allowed to change the owner with Windows Explorer but not using Powershell? I have full admin rights on this machine. Windows 7, Powershell 2.0, .NET 3.5.

I'm assuming the only way to change the owner is to use Get-Acl, set owner on the ACL, then use Set-Acl to write it back to the folder. If there is another way, please let me know? How can I change the owner of the folder using Powershell?

Luci answered 21/11, 2011 at 18:20 Comment(0)

Windows Vista and up include a command-line tool named takeown.exe which can be used from an elevated command prompt (or elevated powershell console) to change the ownership of a file system object.

takeown /F "C:\SomeFolder" /R /D Y

should give you ownership on C:\SomeFolder and the file system objects it contains.

Rattletrap answered 21/11, 2011 at 20:35 Comment(1)

You can also use icacls I believe on Windows 7 with the /setowner switch. Just to mention an alternative to takeown.exe. – Sullen 16/8, 2017 at 21:31

I have some system configuration scripts from our build guy and I recall a note about the Get-Acl command "not working well on certain paths".

# NOTE: This method does not work well?
#$acl = Get-Acl -Path $Path

The kinds of paths we were setting permissions on were empty folders created by an administrator user later captured in a disk image. This is the PowerShell command that we used instead.

$acl = (Get-Item $path).GetAccessControl("Access")

Oh, and it gets real obscure once you have an ACL object. I don't know if this is the best way to do it, but it's a snippet from the same script I refer to above.

$acl = (Get-Item $path).GetAccessControl("Access")

# Setup the access rule.
$allInherit = [System.Security.AccessControl.InheritanceFlags]"ContainerInherit", "ObjectInherit"
$allPropagation = [System.Security.AccessControl.PropagationFlags]"None"
$AR = New-Object System.Security.AccessControl.FileSystemAccessRule $user, $permissions, $allInherit, $allPropagation, "Allow"

# Check if Access already exists.
if ($acl.Access | Where { $_.IdentityReference -eq $User}) 
{
    $accessModification = New-Object System.Security.AccessControl.AccessControlModification
    $accessModification.value__ = 2
    $modification = $false
    $acl.ModifyAccessRule($accessModification, $AR, [ref]$modification) | Out-Null
} 
else 
{
    $acl.AddAccessRule($AR)
}

Set-Acl -AclObject $acl -Path $Path

Unbeknown answered 22/11, 2011 at 0:21 Comment(4)

Thank you for responding. I still get the access denied message on the first line of code. $acl = (Get-Item $path).GetAccessControl("Access") I've even tried all of the possible arguments that the GetAccessControl method accepts (None,Audit,Owner,Access,Owner,Group,All ). But still no luck, access denied. – Luci 22/11, 2011 at 15:46

You've gotta have a fundamental user permission problem. Start trying the command on different directories (dirs in Windows\, dirs the same user created, etc). – Unbeknown 22/11, 2011 at 16:18

You are correct. I had a permission problem. Thanks! I used the whoami /priv cmdlet. I found out that I did not have SeTakeOwnershipPrivilege enabled. It is very messy to enable it using powershell. Here is an example about how to enable it link After enabling the privilege, I created a new ACL, set the owner on that new acl, and finally used set-acl to save the ACL back to the folder. thanks for your help – Luci 22/11, 2011 at 20:5

Please be liberal with your upvotes. It helps indicate to late-comers that you got some help from this answer. – Unbeknown 23/11, 2011 at 23:15

the above code worked great. wanted to post a tweak for recursively going through directory and filling in some "missing"

$HomeFolders = Get-ChildItem "put your directory root here" -Directory -recurse
foreach ($HomeFolder in $HomeFolders) {
    $Path = $HomeFolder.FullName
    $acl = (Get-Item $Path).GetAccessControl('Access')
    $allInherit = [System.Security.AccessControl.InheritanceFlags]"ContainerInherit", "ObjectInherit"
    $allPropagation = [System.Security.AccessControl.PropagationFlags]"None"
    $permissions = "FullControl"
    $Username = "<put your name here>"
    $AR = New-Object System.Security.AccessControl.FileSystemAccessRule($Username, $permissions, $allInherit, $allPropagation, "Allow")
    if ($acl.Access | Where { $_.IdentityReference -eq $Username}) 
    {
        $accessModification = New-Object System.Security.AccessControl.AccessControlModification
        $accessModification.value__ = 2
        $modification = $false
        $acl.ModifyAccessRule($accessModification, $AR, [ref]$modification) | Out-Null
    } 
    else 
    {
        $acl.AddAccessRule($AR)
    }
    Set-Acl -path $Path -AclObject $Acl
}

Spondylitis answered 16/8, 2017 at 16:10 Comment(0)

Recommended topics

Hot tags