Sharing a advanced script that I have used for one of our projects, This script is compatible with Powershell Version 2.0 & 3.0
There was a requirement from Backup Team that
- When they run the script on particular folder it should recurse thru all subfolder
- Take ownership of only those folder where Backup account gets access denied
- Grant permissions to those folders so that backup can be taken.
- Log each & every change so they can track for which folders permissions were altered
Let me demonstrate the script with an example:
Create a Share folder Name Root:
Create Subfolders inside it
Now I will remove ownership & permissions randomly from the folders /sub folders/files inside these folders
After removing file ownership & permissions for backup account below will be the results for files:
After removing folder ownership & permissions for bakup account below will be the results for folders:
Now edit the TakeOwnAddpermv1.ps1 powershell Script
$RootPath1 = “\\labfileserver\root”
$domain = “domain”
Now run the batch file: Takeownperm.bat, It will ask you for the account, that script should grant ownership/access. (just enter samaccountname)
Script will generate the logs inside the logs folders:
After execution you will be able to successfully access the folder you have set as No access/removed ownership.
Download the zip file from below/extract it & follow the steps as mentioned above.
https://gallery.technet.microsoft.com/scriptcenter/Take-Ownership-and-Grant-4228de8f
############################################################################### # Author: Vikas Sukhija (http://techwizard.cloud) # Reviewer: Vikas Sukhija # Date: 11/18/2015 # Review: 11/19/2015 # Modified: 11/19/2015 -- Add comments / Changed variables # Modified: 11/19/2015 -- Add Recursion via Function # Description: Change Owbnersjhip & Grant permissions # if Pemissions are not present ############################################################################### ###############################Define Variables/Logs########################### $RootPath1 = "\\labfsserver\root" $User = Read-Host "Input the sAMAccountName of user :" ##A $domain = "domain" if(Test-path .\error.txt){Remove-Item .\error.txt -Force} #######################For Log Files######################## $date = get-date -format d $date = $date.ToString().Replace(“/”, “-”) $time = get-date -format t $time = $time.ToString().Replace(":", "-") $time = $time.ToString().Replace(" ", "") $logs = ".\Logs" + "\" + "FolderACL" + $date + "_" + $time + "_.txt" $ErrorFile = ".\Logs" + "\" + "ErrorFile" + $date + "_" + $time + "_.txt" $NewOwnerFile = ".\Logs" + "\" + "NewOwner" + $date + "_" + $time + "_.txt" $ErrorFolders = ".\Logs" + "\" + "ErrorFolders" + $date + "_" + $time + "_.txt" ##############################Takeownership function##################### function Take-Ownership { param( [String]$Folder ) takeown.exe /A /F $Folder $CurrentACL = Get-Acl $Folder #write-host ...Adding NT Authority\SYSTEM to $Folder -Fore Green $valtype = (Get-Item $Folder) -is [System.IO.DirectoryInfo] if($valtype -like $true){ #$SystemACLPermission = "NT AUTHORITY\SYSTEM","FullControl","ContainerInherit,ObjectInherit","None","Allow" $AdminACLPermission = "$domain\$user","FullControl","ContainerInherit,ObjectInherit","None","Allow"} else{ #$SystemACLPermission = "NT AUTHORITY\SYSTEM","FullControl","Allow" $AdminACLPermission = "$domain\$user","FullControl","Allow"} #$SystemAccessRule = new-object System.Security.AccessControl.FileSystemAccessRule $SystemACLPermission #$CurrentACL.AddAccessRule($SystemAccessRule) write-host ...Adding User account to $Folder -Fore Green $SystemAccessRule = new-object System.Security.AccessControl.FileSystemAccessRule $AdminACLPermission $CurrentACL.AddAccessRule($SystemAccessRule) Set-Acl -Path $Folder -AclObject $CurrentACL } ########################################################################## Start-Transcript -Path $logs ######################Traverse to the Child items Recursively############ Function ChangeOwnRecursively ($Rootpath){ $Error.Clear() $shares = $null $shares = @() $Folders = get-childitem $Rootpath -Recurse -ea silentlycontinue $countPf = $Error -match "The specified network name is no longer available" $countpf3 = $Error -match "Access to the path (.*) is denied." $count1 = $countPf.count $count2 = $countpf3.count $count = $count1 + $count2 Write-host "Problematic folder count during recursion of $Rootpath $count" -foregroundcolor yellow if($error -ne $null){ $Error | out-file .\error.txt $getshptherror1 = Select-String -Pattern "ReadError:" -Path .\error.txt $getshptherror2 = Select-String -Pattern "PermissionDenied:" -Path .\error.txt if($getshptherror1 -ne $null){ $getshptherror1 | ForEach-Object{ $getshare1 = $_ -split ":" $share1=$getshare1[5] $share2 = ($share1.replace("(","")).trim() $shares+= $share2 } } if($getshptherror2 -ne $null){ $getshptherror2 | ForEach-Object{ $getshare2 = $_ -split ":" $share3=$getshare2[5] $share4 = ($share3.replace("(","")).trim() $shares+= $share4 } }} if($error -ne $null){Add-Content $ErrorFolders "$shares" $shares} if(Test-path .\error.txt){Remove-Item .\error.txt -Force} $Error.Clear() if($Folders.count -gt "0"){ Foreach($Folder in $Folders) { $Folder $permission = get-acl $Folder.FullName -ErrorAction SilentlyContinue $citem1= get-childitem $Folder.FullName -ErrorAction SilentlyContinue if($error -ne $null) { $citerror1 = $Error -match "The specified network name is no longer available" $citerror2 = $Error -match "Attempted to perform an unauthorized operation" Write-host "Folder/file $folder can't be browsed" -foregroundcolor yellow} #####################If Permissions found######################### if(($permission) -and ($citerror1 -eq $null) -and ($citerror2 -eq $null)) { Write-Host "User $user has rights on $folder" -foregroundcolor green } Else { Write-Host "$User doesn't have any permission on $Folder" -foregroundcolor Magenta $FolderPath = $Folder.FullName $FolderPath $error.clear() Take-Ownership ($FolderPath) if($error -ne $null) { Write-host "Take ownership /access operation failed" -foregroundcolor Yellow Add-Content $ErrorFile "Complete path : $FolderPath : Take ownership /access operation failed for $user" } else { $Acl = get-acl $Folder.FullName $UserAccess = New-Object System.Security.Principal.NTAccount("$domain", "$User") $ACL.SetOwner($UserAccess) Set-Acl -Path $Folder.FullName -AclObject $Acl Add-Content $NewOwnerFile "Complete path : $FolderPath New Owner is $User " Write-host "$FolderPath New Owner is $User" -foregroundcolor Green } } $error.clear() $permission = $null $citem1 = $null $citerror1 = $null $citerror2 = $null }} if($shares -ne $null){ $shares | ForEach-Object { ChangeOwnRecursively $_ }} } ChangeOwnRecursively $RootPath1 Stop-Transcript ##################################################################