How do I change the owner of a folder with Powershell when Get-Acl returns "Access Denied"?

Question

I have a question about Get-Acl in Powershell. I keep getting the error message, "Access to the path is denied". I want to change the owner of the folder to myself and then give myself full permissions to the folder using Powershell. Here's the line of code giving me the error:

$acl = Get-Acl "C:\SomeFolder"

I am using Windows Explorer to set the permissions on "SomeFolder" before running the script. They are as follows:

• no entries in the access control list
• owner is not myself

I do not receive the error message if I make myself the owner using the Windows Explorer GUI before running the Powershell script. I don't understand why I am allowed to change the owner with Windows Explorer but not using Powershell? I have full admin rights on this machine. Windows 7, Powershell 2.0, .NET 3.5.

I'm assuming the only way to change the owner is to use Get-Acl, set owner on the ACL, then use Set-Acl to write it back to the folder. If there is another way, please let me know? How can I change the owner of the folder using Powershell?

Answer 1

Windows Vista and up include a command-line tool named takeown.exe which can be used from an elevated command prompt (or elevated powershell console) to change the ownership of a file system object.

takeown /F "C:\SomeFolder" /R /D Y

should give you ownership on C:\SomeFolder and the file system objects it contains.

Answer 2

I have some system configuration scripts from our build guy and I recall a note about the Get-Acl command "not working well on certain paths".

# NOTE: This method does not work well?
#$acl = Get-Acl -Path $Path

The kinds of paths we were setting permissions on were empty folders created by an administrator user later captured in a disk image. This is the PowerShell command that we used instead.

$acl = (Get-Item $path).GetAccessControl("Access")

---

Oh, and it gets real obscure once you have an ACL object. I don't know if this is the best way to do it, but it's a snippet from the same script I refer to above.

$acl = (Get-Item $path).GetAccessControl("Access")

# Setup the access rule.
$allInherit = [System.Security.AccessControl.InheritanceFlags]"ContainerInherit", "ObjectInherit"
$allPropagation = [System.Security.AccessControl.PropagationFlags]"None"
$AR = New-Object System.Security.AccessControl.FileSystemAccessRule $user, $permissions, $allInherit, $allPropagation, "Allow"

# Check if Access already exists.
if ($acl.Access | Where { $_.IdentityReference -eq $User}) 
{
    $accessModification = New-Object System.Security.AccessControl.AccessControlModification
    $accessModification.value__ = 2
    $modification = $false
    $acl.ModifyAccessRule($accessModification, $AR, [ref]$modification) | Out-Null
} 
else 
{
    $acl.AddAccessRule($AR)
}

Set-Acl -AclObject $acl -Path $Path