Take ownership of a folder and set inheritance with PowerShell

Question

Attempting to set the owner of a folder as Domain Admins and force inheritance on all sub-folder/files. Using a combination of scripts I've found:

$Account = New-Object -TypeName System.Security.Principal.NTAccount -ArgumentList $DomainAdmins;

#Get a list of folders and files
$ItemList = Get-ChildItem -Path $Dir -Recurse;

#Iterate over files/folders
foreach ($Item in $ItemList) {
    $Acl = $null; # Reset the $Acl variable to $null
    $Acl = Get-Acl -Path $Item.FullName; # Get the ACL from the item
    $Acl.SetOwner($Account); # Update the in-memory ACL
    $isProtected = $false 
    $preserveInheritance = $false
    $Acl.SetAccessRuleProtection($isProtected, $preserveInheritance)
    Set-Acl -Path $Item.FullName -AclObject $Acl;  # Set the updated ACL on the target item
}

Error: Set-Acl : Cannot bind argument to parameter 'AclObject' because it is null.

Some folders assign properly, however, not all. I suspect it breaks were there is no owner (possibly an account that's been removed from AD.)

Any ideas on how to approach this?

I would suggest looking at the [NTFSSecurity](https://github.com/raandree/NTFSSecurity) module. It is much easier than using the in-built ACL commands. There are some docs [here](https://learn.microsoft.com/en-us/archive/blogs/fieldcoding/ntfssecurity-tutorial-1-getting-adding-and-removing-permissions) and [here](https://ntfssecurity.readthedocs.io/en/latest/). — Ash, Sep 02 '21 at 20:43
Thanks. Best guess at this point is there are long file path names in the directories. This will likely help. — Jonathan, Sep 15 '21 at 16:56
Yes, that module uses the Alphaleonis library that works around the Windows restriction on path name limits. — Ash, Sep 15 '21 at 17:01

score 1 · Answer 1 · answered Sep 06 '21 at 11:36

Check SetOwner() method for setting up owner for a folder

# Define the owner account/group
$Account = New-Object -TypeName System.Security.Principal.NTAccount -ArgumentList 'BUILTIN\Administrators';

# Get a list of folders and files
$ItemList = Get-ChildItem -Path c:\test -Recurse;

# Iterate over files/folders
foreach ($Item in $ItemList) {
    $Acl = $null; # Reset the $Acl variable to $null
    $Acl = Get-Acl -Path $Item.FullName; # Get the ACL from the item
    $Acl.SetOwner($Account); # Update the in-memory ACL
    Set-Acl -Path $Item.FullName -AclObject $Acl;  # Set the updated ACL on the target item
}

Specify Inheritance in FileSystemAccessRule()

$Acl = Get-Acl "\\R9N2WRN\Share"

$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule("user", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow")

$Acl.SetAccessRule($Ar)
Set-Acl "\\R9N2WRN\Share" $Acl

Check the SO1 and SO2 for further related information.

score 1 · Accepted Answer · answered Oct 07 '21 at 21:16

We will end up using this, even though it's not handling the long file paths correctly.

Import-Module -Name NTFSSecurity
#Remove Inheritance on user's root folder
    Get-Item $UserRoot | Disable-NTFSAccessInheritance

#Add Domain Admin to user's root folder
    Add-NTFSAccess -Path $UserRoot -Account 'BUILTIN\Administrators', 'yourDomain\Domain Admins' -AccessRights FullControl

#Set Inheritance on all sub-folders on user's directory
    Get-ChildItem -Path $UserRoot -Recurse | Enable-NTFSAccessInheritance -PassThru

Take ownership of a folder and set inheritance with PowerShell

2 Answers2