take ownership & add rights to path without removing rights

This topic contains 0 replies, has 1 voice, and was last updated by Profile photo of Forums Archives Forums Archives 5 years, 4 months ago.

  • Author
    Posts
  • #6035

    by Milo at 2013-02-27 06:55:42

    I ran onto a UNC Drivepath in where a user took ownership of the full path & destroyed our domain admin & storage mgt ownership.
    I had to perform a task (see other post) & ran onto acces denied on that scope.

    I searched on the net for a helpfull code in Powershell to ease my work.
    I ran into the script on http://www.definit.co.uk/2012/02/powers ... rmissions/

    Being somewhere very nice, but not doing the whole bunch of folders.... I think Powershell variable did not have enough memory... I do not know.
    ...

    I Slightly modified the script...

    Is there anyone who can revieuw my code please?

    Thx

    Function main
    {
    param ([Parameter(Mandatory=$true, Position=0)][String]$RootPath,
    [Parameter(Mandatory=$true, Position=1)][string]$Log)

    function Take-Ownership {
    param(
    [String]$Folder
    )
    takeown.exe /A /F $Folder /R /D n
    $CurrentACL = Get-Acl $Folder
    write-host ...Adding Storage Management to $Folder -Fore Yellow
    $SystemACLPermission = "YourDomain\Storage Management","FullControl","ContainerInherit,ObjectInherit","None","Allow"
    $SystemAccessRule = new-object System.Security.AccessControl.FileSystemAccessRule $SystemACLPermission
    $CurrentACL.AddAccessRule($SystemAccessRule)
    write-host ...Adding Domain Admins to $Folder -Fore Yellow
    $AdminACLPermission = "YourDomain\Domain Admins","FullControl","ContainerInherit,ObjectInherit","None","Allow"
    $SystemAccessRule = new-object System.Security.AccessControl.FileSystemAccessRule $AdminACLPermission
    $CurrentACL.AddAccessRule($SystemAccessRule)
    Set-Acl -Path $Folder -AclObject $CurrentACL
    }

    function Test-Folder($FolderToTest)
    {
    $error.Clear()
    $ErrorArray = @()
    Get-ChildItem $FolderToTest -Recurse -ErrorAction SilentlyContinue | Select FullName
    if ($error)
    {
    $ErrorArray = $error + $ErrorArray
    foreach ($err in $ErrorArray)
    {
    if($err.FullyQualifiedErrorId -eq "DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand")
    {
    Write-Host Unable to access $err.TargetObject -Fore Red
    Write-Host Attempting to take ownership of $err.TargetObject -Fore Yellow
    Take-Ownership($err.TargetObject) Test-Folder($err.TargetObject)
    }
    }
    }
    }
    Start-Transcript $Log
    $Folderlist= Get-ChildItem $RootPath | ?{ $_.PSIsContainer } | Select-Object FullName | ForEach-Object {$_.FullName} | Out-String -stream | select-object -skip 1
    foreach ($Folder in $Folderlist)
    {
    Take-OwnerShip $Folder
    Test-Folder $Folder
    }
    Stop-Transcript
    }
    main

    by DonJ at 2013-02-27 07:29:57

    What are you looking for in a review? I'm not able to run your code myself, but if you're having a specific problem I'd be happy to try and help you figure it out.

    by Milo at 2013-03-19 06:37:03

    Whell , As far as I see , my script doesn't work as should be.
    It takes ownership & sets my admins with full control, but not on the entire tree...
    Sometimes I see folders that are skipped, folders that still have an access denied for some obviguous reason...
    This is why I seek for help 🙁
    I even tried to set takeown.exe /A /F $Folder /R /D y ..... still no fully working script 🙁

    by poshoholic at 2013-03-19 10:32:20

    Are there any hidden files or folders in your UNC path? You need to use the -Force parameter with Get-ChildItem in order to get hidden files or folders.

    Also, if this is an isolated incident, I'd be inclined to use native tools to fix the problem rather than PowerShell.

    by Milo at 2013-03-21 08:10:14

    First off all .. not an isolated incident 🙁
    Well, somewhere your tip helps for some folders, but other ones still are not taken into account.
    By rerunning the script , sometimes these are accessible (to me as admin again) sometimes .. no luck.
    Or sometimes I need to adapt my path for the script to take more folders into consideration...

    Really stuck here...

You must be logged in to reply to this topic.