Windows – Force ownership of folder structure without replacing other permissions – Windows Server 2008 R2 – takeown is erasing all other permissions

icaclspermissionsrobocopywindows

Logged on as local Administrator. Trying to put Administrator as owner of all files and folders on a drive. The drive contains an existing folder structure with securities/permissions/acls copied from another server using robocopy which is why the local administrator or administrators group does not have access to all folders. This happens at various places where the inheritance has been broken.

If I use icacls /setowner, I get access denied at the broken inheritance. If I use the takeown command, it works to force taking ownership, but it also removes all other permissions resulting in only the local administrator being listed in the permissions. I need to preserve the existing permissions, but take ownership so my other restore and copy jobs don't fail at the broken inheritance points.

Best Answer

Ended up achieving what I wanted with Setacl. I wrote the following script which ripped through the entire folder structure and files, and gave ownership to the local Administrators group, then went through again and added a full control ACE for our IT domain group. It did this without replacing or removing the existing permissions/ACEs (other than replacing the owner), and I didn't get any access denied errors:

setlocal

set logDir=%1
set targetDir=%2
set logFileName=%~n2
set logFileNameEnding=%3

SetACL.exe -on %targetDir% -ot file -actn setowner -ownr "n:S-1-5-32-544;s:y" -rec cont_obj -log "%logDir%\%logFileName%-TAKEOWN-%LogFileNameEnding%.txt" -silent

SetACL.exe -on %targetDir% -ot file -actn ace -ace "n:domain\group;p:full;s:n;m:set;w:dacl" -rec cont_obj -log "%logDir%\%logFileName%-ADD-DOMAIN-GROUP-%LogFileNameEnding%.txt" -silent

endlocal