I have a bunch of user directories on a Unix server not attached to active directory, but, nearly all the directories are named the same thing as their username in AD. I'm migrating my file server over to Windows, which is bound to AD, but the permissions aren't moving over.
What I need to do is somehow chown (takeown) all the directories in that user folder over to their AD user. In *nix, I'd do something like this:
cd /home
find * --max-depth 0 -exec chown -R {} {} \;
But I can't seem to find anything with PowerShell that will do it. I get 90% of the way there, but end up with errors that it can't assign ownership, etc. This MAY be due to the SeRestorePrivilege, etc, but setting those doesn't seem to help either.
Does anyone have a suggestions, a solution, etc?
File ownership doesn't matter as much in Windows as it does in Linux/Unix, because Windows ACLs are far more versatile than traditional Unix permissions. Just pass ownership to the Administrators group and grant full permissions to SYSTEM, the Administrators group, and the user whose directory it is, replacing the existing permissions. Use takeown and icacls to do so.
Get-ChildItem 'D:\home' -Directory | ForEach-Object {
$path = $_.FullName
$user = $_.Name
& takeown /f "$path" /r /a
& icacls "$path" '/grant:r' 'SYSTEM:(OI)(CI)F' 'Administrators:(OI)(CI)F' "DOMAIN\${user}:(OI)(CI)F"
}
Add read/execute permissions for other users/groups as you see fit.
Related
I am using ShareGate to migrate data from our network drive to our 365 SharePoint sites.
When doing a migration for certain folders I am getting errors that the SharePoint library cannot contain more than 50,000 unique permissions.
We primarily use security groups to add permissions to folders on the network drive but after the years we have had this data a lot of permissions are messed up and don't even allow admin accounts to change them.
To get around them I am using psexec to open powershell as NT Authority\System and run the following command to make Administrator owner of all the files/folders.
takeown /d Y /a /r /f "folder path"
After doing that I use icacls with the following two commands:
icacls "Folder path" /inheritancelevel:e /t /c /q
icacls "Folder path" /grant "username":f /t /c /q
For username I will use an administrator account to reduce issues with sharegate migration.
This has allowed access to all the files/folders within a main folder of a network drive, but after doing so I get errors for the 50k unique permissions.
I believe I've narrowed it down to icacls making every permission unique when I force add the username with full access. I have tried resetting permissions and forcing inherited permissions which will work for the folders and subfolders, but the files will not take the parent permissions and still recreate the permissions that they had before.
I am currently using powershell v2.0 on a windows server 2008 R2. I have ShareGate version 16.0.0
I installed powershell version 5.0 but have to restart the server after hours tonight so it can do the update and install.
Does anyone know how I would be able to make all permissions the same for future folders and also fix the current permissions so none are unique?
world !
I'm very new to the scripting world but I'm currently trying to automate a process a work that involves in moving a folder and its contents to the windows directory on C:.
currently, I have this
Copy-Item -Path "C:\Java Config Files*" -Destination "C:\Windows\" -R
it's returning with an error message
Copy-Item : Access to the path 'C:\Windows\Java Config Files' is denied.
any thoughts how I can elevate privileges without having to run the script as admin? or if there is a cmdlet that could achieve this?
fixed by running as admin by adding runAS cmdlet
I'm getting the information I need out of the line, although when I go to export the information, I get an error.
When I run this code:
get-process | Export-csv -Path "C:\export.csv" -NoTypeInformation
I get this error:
Export-csv : Access to the path 'C:\export.csv' is denied.
At line:1 char:14
+ get-process | Export-csv -Path "C:\export.csv" -NoTypeInformation
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
How can I export to CSV?
You need to use an admin console or change the location of the csv file to C:\temp or something. The home drive require admin permissions.
EDIT:
The elevation requirement is only with system directories like:
C:\
C:\Windows
C:\Program Files
C:\Program Files (x86)
C:\Users
Notice that you can change C:\Users\<YourUserName> but not any other directories under C:\Users. Windows was built for multiple users even if you may be the only one using it. The above directories are common for all users and changing its contents would effectively change the Windows environment for other users too since windows rely on the integrity of these directories. Allowing a normal user to delete/modify/add files to these could have dangerous results for the OS and other people who use it.
So it tries to makes sure that only an Admin user is authorized to make changes to it. It is also the same reason why you get prompted for admin permissions when installing a software. It is installed to C:\Program Files or C:\Program Files (x86), make changes to the registry and is available to all users of that computer. Same with removing it. If a program does not require to do that, it doesn't require admin privileges. Eg: Portable softwares. Some programs only use the user directory or users temp directory C:\Users\<Username>\AppData\Local\Temp. Such programs are only available to the user that installed it.
If you have a custom directory like C:\myGames, adding files to it wont require elevation. So C:\Temp is just another directory like that. You will also notice that C:\ will let a normal user create a folder but not a file.
SUMMARY: Any changes that affect other user directories or the windows environment will require admin rights. Others don't.
In my case, the error occurred because I failed to specify the file name. The correct syntax is;
Export-Csv -path ".\targetList.csv"
and not -path "."
I wanted to ask how one would check who has access to subfolders in a certain directory on a server using either the CMD or Powershell?
For NTFS permissions I like to use the NTFSSecurity PowerShell Module as the output is similar to the windows permissions GUI.
It has simple commands for adding and removing permissions, which is an ugly process using the standard acls commands!
To see current NTFS permissions using this module:
Get-NTFSAccess -Path "\\server\share\folder"
Which would give an output like this:
You are looking for icacls. From cmd type icacls directoryname /t replacing directoryname with the actually directory name to display all of the access permissions for the directory and subdirectories. The /t flag specifies to look in subdirectories. For more info just type in icacls into cmd or look at this link: https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/icacls
I am having problems with a powershell script i basically trying to reset the permission on a folder, by removing the following groups
NT AUTHORITY\Authenticated Users
BUILTIN\Users
If i manually change the folder to not inherit from it parent the script works, I have look through google to find best way of removing the inheritance via a script the script compiles but not do anything.
This is the command i am using
$WebsiteACL =Get-Acl -Path "C:\websites"
$WebsiteACL.SetAccessRuleProtection($true,$false)
Does anyone have any sugestion?
Personally I find Get-Acl and Set-Acl still too much of a PITA to use (and I'm a C# dev). You can use icacls.exe to accomplish your task easily:
icacls C:\temp\foo /inheritance:d
It also supports removing groups. Check out its usage: icacls /?.
Get-Acl/Set-Acl can be a royal pain unless you're the owner of the object you're trying to change permissions on -- even if you're an Administrator. If you want to change an ACL on an object you don't own you have to have the SeBackupPrivilege enabled for your identity/account. The only easy way I know of to modify system privileges is install PowerShell Community Extensions and use Get/Set-Privilege. I really don't understand why this limitation exists but it does.
With that said, using icacls works very well under most conditions. There is a bug if you're setting permissions on a directory accessed through a share with Access Based Enumeration enabled. Everyone does this right? ;)
Touching a directory underneath an ABE controlled share with icacls causes the directory to disappear even if you still have permissions to that directory. If you use the Windows Explorer ACL editor to read and (re)apply the permissions set with icacls the directory is visible again.
After much head scratching it was determined that icacls was doing something to the synchronize bit. Without synchronize ABE causes the directory to be invisible. The simplest workaround would be to not use ABE but in our environment disabling ABE is not an option.
Another solution is use SetACL.exe which you can download from SourceForge. It has a very complicated syntax, imho, but is really powerful. It's also available as a OCX so you can script it via PowerShell.