Powershell query for all files without an owner?

Question

Powershell query for all files without an owner?

Tonito Dux 976

Hi,

we are migrating a 2012R2 file server to a new 2022 file server and during the migration process with the storage migration service we got 23 000 files that receive an error 5 which is access denied error. Upon examination of some of the files they all got the same problem - no owner and no ACLs.

Would like a PS query/script which will go trough a folder and sub-folders and report back all of the files without the owner set.

Thank you for your time and assistance!

3 answers

Your answer

Answer 1

Deleted

This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Comments have been turned off. Learn more

Answer 2

MotoX80 36,291

Here's a script that might help you. Test it out on a small number of folders and verify that resetting the inheritance is what you want it to do.

If you have multiple levels of folders that you do not have access to, then you will need to run this script multiple times to get to all of the files/folders.

cls
$noaccess = @()
$all = Get-ChildItem c:\temp\zzzz -recurse -Force   -ErrorAction SilentlyContinue       # set folder path here

foreach ($f in $all){                     
    $f.fullname                     # show what we are processing
    try {
        $a = Get-Acl $f.fullname -ErrorAction Stop
        if ($a.access.Count -eq 0) {                  # no acls!!!! 
            $noaccess += $f.fullname                # add to the fix list
            "No acls, adding to noaccess list."
            }            
    } catch {
        "Unable to access, adding to noaccess list."
        $noaccess += $f.fullname 
    }    
}
""
"Here are the files and folders we could not access."
$noaccess

if ((Read-Host "Enter y to fix") -ne 'y') {return}

# Now fix the problem, you must be running this script with UAC admin access 
foreach ($f in $noaccess) {
    "takeown.exe /f $f"
    takeown.exe /f "$f"
    "icacls.exe $f /reset"
    icacls.exe "$f" /reset
}

Tonito Dux 976 Reputation points

2023-04-28T13:53:34.8266667+00:00

Thank you,

I still haven't gotten around to test it but appreciate the help because I know only PS queries. Scripting is not my strong side. I will test it today or tomorrow and get back to you.
Tonito Dux 976 Reputation points

2023-04-28T14:23:00.47+00:00

So i have tested the script and it works! The ACLs are back, but the original owner is now the admin (me) who ran the script. Is there maybe a way to get back the original owner of the file? We have everything intact on a another server so I can quickly compare everything.

Thank you very much, even this is a huge progress!
MotoX80 36,291 Reputation points

2023-04-28T14:55:04.2566667+00:00

If you don't use the "CREATOR OWNER" ACL, then user access would be granted through the other ACL's (groups and users). So do you really need the owner to be set? I know that Unix cares more about the owner than Windows does. From my years of supporting Windows servers, for the most part it didn't matter much who the owner was. You would need another script to compare and set the owner.
Tonito Dux 976 Reputation points

2023-04-28T15:35:43.56+00:00

If from your experience you see no problem with this than the situation would be resolved. I talked to my colleagues but nobody has any good reason to have the original owner of the file. I am just afraid it might bite us in the future for some reason.

MotoX80 36,291

In case it does matter, I whipped this up. Test it out on a small number of files first. I have -whatif so nothing will be updated. Remove that to apply the owner.

cls 
$FixMe = 'C:\Temp\ZZZZ\GooooooD'      # these files have unknown owners
$Reference = 'C:\Temp\ZZZZ\GooD2'     # these file have the owner correctly set 

$allFix = Get-ChildItem $FixMe -file -recurse 
foreach ($f in $allFix) {
    $f.fullname 
    $Fixacl = Get-Acl $f.fullname 
    "Current owner is {0}" -f $FixAcl.owner

    $Reffile = $f.fullname.Replace($FixMe,$Reference) 
    $Reffile
    $Refacl = Get-Acl $Reffile 
    "Correct owner is {0}" -f $RefAcl.owner
    if ($FixAcl.owner -ne $RefAcl.owner) {
        "Need to fix " + $f.fullname
        $domain = $RefAcl.owner.split("\")[0]
        $user =   $RefAcl.owner.split("\")[1]
        $owner = New-Object System.Security.Principal.NTAccount ($domain,$user)
        $Fixacl.SetOwner($owner) 
        $Fixacl | Set-Acl $f.fullname -WhatIf
    } 
    ""
}

Answer 3

Rich Matheisen 47,901

This won't fix the problem but it should run faster than using try/catch and Get-ACL. You can use the CSV it creates and the last part of the code from @MotoX80 to add the owner.

$folderlist = "c:\junk","c:\T-Copy"    # directories whose files should be examined
$folderlist |
    ForEach-Object{
        Get-ChildItem "$_\*" -file -Recurse -Depth 100 |    # adjust the depth value as appropriate
            ForEach-Object{
                if ( $null -eq $_.GetAccessControl().Owner){    # if there's no ACL this should report that file too
                    Select-Object fullname, LastAccessTime, LastWriteTime, CreationTime
                }
            }
    } | Export-Csv c:\junk\OwnerlessFiles.csv -NoTypeInformation

MotoX80 36,291 Reputation points

2023-04-28T13:49:10.7766667+00:00
I thought about looking at the owner but I have to wonder what happened on this machine that wiped out both the ACLs and the owner. If the owner contains a dead SID then it won't be null. And if there are no ACL's then I won't be able to read the owner anyway.

PS C:\Temp\ZZZZ\GooooooD> get-childitem | foreach { $_.GetAccessControl().Owner} O:S-1-5-21-1852509475-3444700518-1180769758-1018 BUILTIN\Administrators
Tonito Dux 976 Reputation points

2023-04-28T13:57:24.2933333+00:00

In our company we use programs like ViceVersa and PeerSync/PeerLock in order to mange our complicated file system environment (low bandwidth, big files (+5GB), not all offices need the same projects) and we occasional have issue with 0 byte files and now ACLs.

On the original file server the files have ACLs so we could copy them but we are talking about 23 000 files that need to be copied manually then.
Rich Matheisen 47,901 Reputation points

2023-04-28T15:04:58.44+00:00

A SID belong to a user that's no longer present may be erroneous, but it's not "missing". If you want to change it, use the Get-ACL cmdlet, create a new SID, and use the ACL's "SetOwner" method using the new SID.
Rich Matheisen 47,901 Reputation points

2023-04-28T15:07:32.1733333+00:00

If the owner is correct on your original server you should be able to use them to set the ACEs and Owner on the bad files. You can do that with PowerShell, No need to do it manually.
Tonito Dux 976 Reputation points

2023-04-28T15:33:52.0833333+00:00

Yes it should be no problem if I would knew how to write a script for something like that :D I agree 100%

Share via

Powershell query for all files without an owner?

3 answers

Your answer