Grant-FileOwnership

Discussion in 'Scripting' started by GodHand, Jan 1, 2018.

  1. GodHand

    GodHand MDL Senior Member

    Jul 15, 2016
    315
    279
    10
    A friend wanted a PowerShell script that would take ownership, and set access controls, on single files and recursively with directories, even from TrustedInstaller. He did not want any process token Cmdlet/modules with it and just wanted a simple script to do it. So I wrote him a simple function that does what he wants and I figured I'd toss it up here for anyone who wants it.

    Code:
    Function Grant-FileOwnership
    {
       [CmdletBinding()]
       Param
       (
           [Parameter(Mandatory = $true,
                      ValueFromPipeline = $true,
                      ValueFromPipelineByPropertyName = $true)][ValidateNotNullOrEmpty()][string]$Path,
           [ValidateSet('Administrators', 'CurrentUser')][string]$UserAccount = "$env:userdomain\$env:username",
           [switch]$Recurse
       )
     
       Begin
       {
           $ErrorActionPreference = 'Stop'
       }
       Process
       {
           Switch ($UserAccount)
           {
               'Administrators' {
                   $User = "Administrators"
                   $TakeDirectory = TAKEOWN /F $Path /A /R /D Y
               }
               'CurrentUser' {
                   $User = "$env:userdomain\$env:username"
                   $TakeDirectory = TAKEOWN /F $Path /R /D Y
               }
           }
           If (Test-Path -Path $Path -PathType Leaf)
           {
               If ($Recurse)
               {
                   Write-Error -Message "Only directories and subdirectories can be granted ownership of recursively." -Category InvalidOperation
               }
               Else
               {
                   [void](TAKEOWN /F $Path /A)
                   $ACL = Get-Acl -Path $Path
                   $Account = New-Object System.Security.Principal.NTAccount($User)
                   $Rights = [System.Security.AccessControl.FileSystemRights]"FullControl"
                   $Inheritance = [System.Security.AccessControl.InheritanceFlags]"None"
                   $Propagation = [System.Security.AccessControl.PropagationFlags]"None"
                   $Type = [System.Security.AccessControl.AccessControlType]"Allow"
                   $Rule = New-Object System.Security.AccessControl.FileSystemAccessRule($Account, $Rights, $Inheritance, $Propagation, $Type)
                   $ACL.SetAccessRule($Rule)
                   $ACL.SetOwner($Account)
                   $ACL | Set-Acl -Path $Path
               }
           }
           If (Test-Path -Path $Path -PathType Container)
           {
               If ($Recurse)
               {
                   [void]($TakeDirectory)
                   $ACL = Get-Acl -Path $Path
                   $Account = New-Object System.Security.Principal.NTAccount($User)
                   $Rights = [System.Security.AccessControl.FileSystemRights]"FullControl"
                   $Inheritance = [System.Security.AccessControl.InheritanceFlags]"ContainerInherit,ObjectInherit"
                   $Propagation = [System.Security.AccessControl.PropagationFlags]"None"
                   $Type = [System.Security.AccessControl.AccessControlType]"Allow"
                   $Rule = New-Object System.Security.AccessControl.FileSystemAccessRule($Account, $Rights, $Inheritance, $Propagation, $Type)
                   $ACL.SetAccessRule($Rule)
                   $ACL.SetOwner($Account)
               }
               Else
               {
                   [void](TAKEOWN /F $Path /A)
                   $ACL = Get-Acl -Path $Path
                   $Account = New-Object System.Security.Principal.NTAccount($User)
                   $Rights = [System.Security.AccessControl.FileSystemRights]"FullControl"
                   $Inheritance = [System.Security.AccessControl.InheritanceFlags]"None"
                   $Propagation = [System.Security.AccessControl.PropagationFlags]"None"
                   $Type = [System.Security.AccessControl.AccessControlType]"Allow"
                   $Rule = New-Object System.Security.AccessControl.FileSystemAccessRule($Account, $Rights, $Inheritance, $Propagation, $Type)
                   $ACL.SetAccessRule($Rule)
                   $ACL.SetOwner($Account)
                   $ACL | Set-Acl -Path $Path
               }
           }
       }
       End
       {
           $ACL | Format-List
           Write-Verbose "Ownership and access control of $Path successfully granted to $User." -Verbose
       }
    }
    
    The syntax is:

    Grant-FileOwnership -Path "Path to file or directory" -UserAccount -Recurse