To totally unlock this section you need to Log-in
Many organizations with a Microsoft Windows environment rely on NTFS as the main file system for their storage devices that contain sensitive data. It is the easiest way for users to work with files. In order to implement a least-privilege model, which is a best practice for system security, IT security specialists and system administrators configure NTFS access control lists (ACLs) by adding access control entries (ACEs) on NTFS file servers.
There are both basic and advanced NTFS permissions. You can set each of the permissions to “Allow” or “Deny”. Here are the basic permissions:
- Full Control: Users can modify, add, move and delete files and directories, as well as their associated properties. In addition, users can change permissions settings for all files and subdirectories.
- Modify: Users can view and modify files and file properties, including deleting and adding files to a directory or file properties to a file.
- Read & Execute: Users can run executable files, including script
- Read: Users can view files, file properties and directories.
- Write: Users can write to a file and add files to directories.
Here is the list of advanced permissions:
- Traverse Folder/Execute File: Users can navigate through folders to reach other files or folders, even if they have no permissions for these files or folders. Users can also run executable files. The Traverse Folder permission takes effect only when the group or user doesn’t have the “Bypass Traverse Checking” right in the Group Policy snap-in.
- List Folder/Read Data: Users can view a list of files and subfolders within the folder as well as the content of the files.
- Read Attributes: Users can view the attributes of a file or folder, such as whether it is read-only or hidden.
- Write Attributes: Users can change the attributes of a file or folder.
- Read Extended Attributes: Users can view the extended attributes of a file or folder, such as permissions and creation and modification times.
- Write Extended Attributes: Users can change the extended attributes of a file or folder.
- Create Files/Write Data: The “Create Files” permission allows users to create files within the folder. (This permission applies to folders only.) The “Write Data” permission allows users to make changes to the file and overwrite existing content. (This permission applies to files only.)
- Create Folders/Append Data: The “Create Folders” permission allows users to create folders within a folder. (This permission applies to folders only.) The “Append Data” permission allows users to make changes to the end of the file, but they can’t change, delete or overwrite existing data. (This permission applies to files only.)
- Delete: Users can delete the file or folder. (If users don’t have the “Delete” permission on a file or folder, they can still delete it if they have the “Delete Subfolders And Files” permission on the parent folder.)
- Read Permissions: Users can read the permissions of a file or folder, such as “Full Control”, “Read”, and “Write”.
- Change Permissions: Users can change the permissions of a file or folder.
- Take Ownership: Users can take ownership of the file or folder. The owner of a file or folder can always change permissions on it, regardless of any existing permissions that protect the file or folder.
- Synchronize: Users can use the object for synchronization. This enables a thread to wait until the object is in the signaled state. This right is not presented in ACL Editor.
You can find all these user permissions by running the following PowerShell script:
[system.enum]::getnames([System.Security.AccessControl.FileSystemRights])
NTFS permissions can be either explicit or inherited. Explicit permissions are permissions that are configured individually, while inherited permissions are inherited from the parent folder. The hierarchy for permissions is as follows:
Explicit Deny Explicit Allow Inherited Deny Inherited Allow
Change File and Folder Ownership
If you want to set an owner for a folder, you need to run the “SetOwner” method. Let’s make “WORKSTATION\E.Xample” the owner of the “Sales” folder:
$acl = Get-Acl \\srv1\shared\sales $object = New-Object System.Security.Principal.Ntaccount("WORKSTATION\E.Xample") $acl.SetOwner($object) $acl | Set-Acl \\srv1\shared\sales
Notice that we again used the “Ntaccount” class to convert the user account name from a string into a SID.
Note that the “SetOwner” method does not enable you to change the owner to any account you want; the account must have the “Take Ownership”, “Read” and “Change Permissions” rights.
Permissions Inheritance
Each permission that exists can be assigned one of two ways: explicitly or by inheritance. For this reason, permissions are referred to as explicit permissions and inherited permissions.
- Explicit permissions are permissions that are set by default when the object is created, or by user action.
- Inherited permissions are permissions that are given to an object because it is a child of a parent object.
Similar to the way rights are managed for groups of users, permissions are best managed for containers of objects. Objects within the container inherit all the access permissions in that container.
For example, you might explicitly give permissions to a folder named MyFolder. All subfolders created within MyFolder automatically inherit the permissions assigned to MyFolder.
To manage inheritance, we use the SetAccessRuleProtection method. It has two parameters:
- The first parameter is responsible for blocking inheritance from the parent folder. It has two states: “$true” and “$false”.
- The second parameter determines whether the current inherited permissions are retained or removed. It has the same two states: “$true” and “$false”.
Let’s disable inheritance for the Sales folder and delete all inherited permissions as well:
$acl = Get-Acl \\srv1\shared\sales $acl.SetAccessRuleProtection($true,$false) $acl | Set-Acl \\srv1\shared\sales
Let’s revert this change and enable inheritance for the folder Sales again:
$acl = Get-Acl \\srv1\shared\sales $acl.SetAccessRuleProtection($false,$true) $acl | Set-Acl \\srv1\shared\sales
Recursively Taking Ownership of Files and Folders
The following function can be useful to be used when we need to recursively taking ownership of files and folders: the function calls takeown.exe, available also in Windows 10, that enables an administrator to recover access to a file that previously was denied, by making the administrator the owner of the file, against the folder it is passed, then adds entries to the ACL for that folder.
The function takes the folder name as a parameter, [String]$Folder, then runs takeown.exe against it using the /A option to add the administrators group.
We then get the current ACL from the folder, build a new ACL permission as a string and use that to create a FileSystemAccessRule object. That object is then added to the ACL we copied from the folder. In this example We are adding two accounts, NT AUTHORITY\SYSTEM and a domain group DOMAIN\AdminGroup (you can change this with a local Administrators group, if your system is not into a domain).
The Set-ACL command applies the ACL list with the two new entries to the folder.
function Take-Ownership { param( [String]$Folder ) takeown.exe /A /F $Folder $CurrentACL = Get-Acl $Folder write-host ...Adding NT Authority\SYSTEM to $Folder -Fore Yellow $SystemACLPermission = "NT AUTHORITY\SYSTEM","FullControl","ContainerInherit,ObjectInherit","None","Allow" $SystemAccessRule = new-object System.Security.AccessControl.FileSystemAccessRule $SystemACLPermission $CurrentACL.AddAccessRule($SystemAccessRule) write-host ...Adding Infrastructure Services to $Folder -Fore Yellow $AdminACLPermission = "DOMAIN\AdminGroup","FullControl","ContainerInherit,ObjectInherit","None","Allow" $SystemAccessRule = new-object System.Security.AccessControl.FileSystemAccessRule $AdminACLPermission $CurrentACL.AddAccessRule($SystemAccessRule) Set-Acl -Path $Folder -AclObject $CurrentACL }
After the creation of the Take-Ownership function, we can use another function, called Test-Folder, with which we can test if, after taking ownership recursively of a folder, we are able to traverse all of them with no issues, but evaluating, for each folder, if we get or not the DirUnauthorizedAccessError error:
function Test-Folder($FolderToTest){ $error.Clear() $ErrorArray = @() Get-ChildItem $FolderToTest -Recurse -ErrorAction SilentlyContinue | Select FullName if ($error) { $ErrorArray = $error + $ErrorArray foreach ($err in $ErrorArray) { if($err.FullyQualifiedErrorId -eq "DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand") { Write-Host Unable to access $err.TargetObject -Fore Red Write-Host Attempting to take ownership of $err.TargetObject -Fore Yellow Take-Ownership($err.TargetObject) Test-Folder($err.TargetObject) } } }
An alternative code to get and change ownership of a folder, and files and folder recursively, is the following function:
function Grant-Ownership { [CmdletBinding()] param ( [ValidateNotNullOrEmpty()][string] $FileFolder, [switch] $Recurse ) $Errors = $false If ((Test-Path $FileFolder) -eq $true) { $Output = "Taking ownership of " + $FileFolder + "....." If ($Recurse.IsPresent) { $Items = takeown.exe /F $FileFolder $Items = Get-ChildItem $FileFolder -Recurse | ForEach-Object { takeown.exe /F $_.FullName } } else { $Executable = takeown.exe /F $FileFolder } } [string]$CurrentUser = [Environment]::UserDomainName + "\" + [Environment]::UserName If ($Recurse.IsPresent) { $Item = Get-Item $FileFolder | where-object { (get-acl $_.FullName).owner -ne $CurrentUser } $Items = Get-ChildItem $FileFolder -Recurse | where-object { (get-acl $_.FullName).owner -ne $CurrentUser } If ((($Item -ne "") -and ($Item -ne $null)) -and (($Items -ne "") -and ($Items -ne $null))) { $Output += "Failed" } else { $Output += "Success" } } else { [string]$FolderOwner = (get-acl $FileFolder).owner If ($CurrentUser -ne $FolderOwner) { $Output += "Failed" $Errors = $true } else { $Output += "Success" } } Write-Host $Output If ($Errors -eq $true) { Exit 1 } }
Take permissions using Command Prompt
Open the Command Prompt (Admin) or PowerShell (Admin).
The following commands are available for changing permissions:
takeown /F directory\* /R /A icacls directory\*.* /T /grant administrators:F
Example:
takeown /F C:\Users\Test\* /R /A icacls C:\Users\Test\*.* /T /grant administrators:F
Replace directory with the path of the directory or files you wish to take ownership of, and administrators with the group of users you wish to assign to the directory or file.
The wildcards (*) at the end of the path means that all files within the defined directory will also have their permission changed.
Reset ownership & permissions
Open the Command Prompt (Admin) or PowerShell (Admin). The following command is available for resetting permissions:
cd /d driveLetter:\ icacls * /T /Q /C /reset
Example:
cd /d E:\ icacls * /T /Q /C /reset
Replace driveLetter with the assigned letter of the disk drive.
Create "Take Ownership" menu entry in Windows 10 Context Menu
A good addition for all Windows 10 administrators would be to get ownership of files and folders by using a right-click context menu entry, and this goal is reachable by modifying a bit the Windows Registry with the following .reg additions.
First, we need to enable the Take Ownership menu entry to the Windows 10 right-click menu:
Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\*\shell\runas] @="Take Ownership" "Extended"=- "HasLUAShield"="" "NoWorkingDirectory"="" "Position"="middle"
The HasLUAShield, with no values, will just instruct Windows to add the UAC shield icon so that users know that the task requires elevation to the verb we are adding, Take Ownership.
The NoWorkingDirectory will instruct the system that we are not wanting the location right clicked to become part of the environmental path for the execution of the specified command.
The Extended string value is removed, if already present, to allow to see the Take Ownership always after right-clicking an object; as a general rule, a command/verb will be located in the extended shift when it has a String Value called Extended under the main key. If we want it to be in the main shell context menu, we will delete the "Extended" String Value entry. We want want to transfer something to the extended menu...we will just put "Extended" in it's main key.
[HKEY_CLASSES_ROOT\*\shell\runas\command] @="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant *S-1-3-4:F /c /l" "IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant *S-1-3-4:F /c /l"
The above code section, that will be added to the same .reg file, will actually add the action that will be executed on the file selected with right-click. The following command will execute first the takeown to get the ownership of the file, then the icacls will apply the proper ACLs to get full control permissions on the selected object:
cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant *S-1-3-4:F /c /l"
Now, the following code section will add, with the same approach, using takedown and icacls (for directories it will be user Powershell to call cmd.exe). The below section will add the Take Ownership command, in the right-click context menu, also for directories and drives: for the drives, it will be excluded the C: volume, defined into the AppliesTo value, as it is critical and it would be not so wise trying to get or change the full ownership all all system files....
[HKEY_CLASSES_ROOT\Directory\shell\TakeOwnership] @="Take Ownership" "AppliesTo"="NOT (System.ItemPathDisplay:=\"C:\\Users\" OR System.ItemPathDisplay:=\"C:\\ProgramData\" OR System.ItemPathDisplay:=\"C:\\Windows\" OR System.ItemPathDisplay:=\"C:\\Windows\\System32\" OR System.ItemPathDisplay:=\"C:\\Program Files\" OR System.ItemPathDisplay:=\"C:\\Program Files (x86)\")" "Extended"=- "HasLUAShield"="" "NoWorkingDirectory"="" "Position"="middle" [HKEY_CLASSES_ROOT\Directory\shell\TakeOwnership\command] @="powershell -windowstyle hidden -command \"Start-Process cmd -ArgumentList '/c takeown /f \\\"%1\\\" /r /d y && icacls \\\"%1\\\" /grant *S-1-3-4:F /t /c /l /q' -Verb runAs\"" "IsolatedCommand"="powershell -windowstyle hidden -command \"Start-Process cmd -ArgumentList '/c takeown /f \\\"%1\\\" /r /d y && icacls \\\"%1\\\" /grant *S-1-3-4:F /t /c /l /q' -Verb runAs\"" [HKEY_CLASSES_ROOT\Drive\shell\runas] @="Take Ownership" "Extended"=- "HasLUAShield"="" "NoWorkingDirectory"="" "Position"="middle" "AppliesTo"="NOT (System.ItemPathDisplay:=\"C:\\\")" [HKEY_CLASSES_ROOT\Drive\shell\runas\command] @="cmd.exe /c takeown /f \"%1\\\" /r /d y && icacls \"%1\\\" /grant *S-1-3-4:F /t /c" "IsolatedCommand"="cmd.exe /c takeown /f \"%1\\\" /r /d y && icacls \"%1\\\" /grant *S-1-3-4:F /t /c"
At the end of this article you will find this .reg file to properly enable this right-click command.
An alternative version of this reg file is the following, in which the command will create a Takeown.txt file under C:\Windows\Logs folder, for further analysis, if needed:
Windows Registry Editor Version 5.00 [-HKEY_CLASSES_ROOT\*\shell\TakeOwnership] [-HKEY_CLASSES_ROOT\*\shell\runas] [HKEY_CLASSES_ROOT\*\shell\runas] @="Take Ownership" "Extended"=- "HasLUAShield"="" "NoWorkingDirectory"="" "Position"="middle" [HKEY_CLASSES_ROOT\*\shell\runas\command] @="cmd.exe /c takeown /f \"%1\" >> \"C:\\Windows\\Logs\\Takeown.txt\" && icacls \"%1\" /grant *S-1-3-4:F /c /l >> \"C:\\Windows\\Logs\\Takeown.txt\"" "IsolatedCommand"="cmd.exe /c takeown /f \"%1\" >> \"C:\\Windows\\Logs\\Takeown.txt\" && icacls \"%1\" /grant *S-1-3-4:F /c /l >> \"C:\\Windows\\Logs\\Takeown.txt\"" [HKEY_CLASSES_ROOT\Directory\shell\TakeOwnership] @="Take Ownership" "AppliesTo"="NOT (System.ItemPathDisplay:=\"C:\\Users\" OR System.ItemPathDisplay:=\"C:\\ProgramData\" OR System.ItemPathDisplay:=\"C:\\Windows\" OR System.ItemPathDisplay:=\"C:\\Windows\\System32\" OR System.ItemPathDisplay:=\"C:\\Program Files\" OR System.ItemPathDisplay:=\"C:\\Program Files (x86)\")" "Extended"=- "HasLUAShield"="" "NoWorkingDirectory"="" "Position"="middle" [HKEY_CLASSES_ROOT\Directory\shell\TakeOwnership\command] @="powershell -windowstyle hidden -command \"Start-Process cmd -ArgumentList '/c takeown /f \\\"%1\\\" /r /d Y >> \"C:\\Windows\\Logs\\Takeown.txt\" && icacls \\\"%1\\\" /grant *S-1-3-4:F /t /c /l >> \"C:\\Windows\\Logs\\Takeown.txt\"' -Verb runAs\"" "IsolatedCommand"="powershell -windowstyle hidden -command \"Start-Process cmd -ArgumentList '/c takeown /f \\\"%1\\\" /r /d Y >> \"C:\\Windows\\Logs\\Takeown.txt\" && icacls \\\"%1\\\" /grant *S-1-3-4:F /t /c /l >> \"C:\\Windows\\Logs\\Takeown.txt\"' -Verb runAs\"" [HKEY_CLASSES_ROOT\Drive\shell\runas] @="Take Ownership" "Extended"=- "HasLUAShield"="" "NoWorkingDirectory"="" "Position"="middle" "AppliesTo"="NOT (System.ItemPathDisplay:=\"C:\\\")" [HKEY_CLASSES_ROOT\Drive\shell\runas\command] @="cmd.exe /c takeown /f \"%1\\\" /r /d y && icacls \"%1\\\" /grant *S-1-3-4:F /t /c" "IsolatedCommand"="cmd.exe /c takeown /f \"%1\\\" /r /d y && icacls \"%1\\\" /grant *S-1-3-4:F /t /c"
NOTE: take note that the Y character of /r /d Y of the command takeown /f /r /d Y is language-dependent, so if you have and English version the Y wil be good, if French it will be "O" (for Oui), if Italian it will be "S" (for Si), and so on, so this character will need to be changed before merging the new registry keys and values in your Windows Registry.
The following version of the Take Ownership command will show a Command Prompt window after the execution of takeown.exe and icacls.exe (using pause command) to show you directly the exit statuses of each try taking ownership of files and/or folders:
Windows Registry Editor Version 5.00 [-HKEY_CLASSES_ROOT\*\shell\TakeOwnership] [-HKEY_CLASSES_ROOT\*\shell\runas] [HKEY_CLASSES_ROOT\*\shell\runas] @="Take Ownership" "Extended"=- "HasLUAShield"="" "NoWorkingDirectory"="" "Position"="middle" [HKEY_CLASSES_ROOT\*\shell\runas\command] @="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant *S-1-3-4:F /c /l & pause" "IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant *S-1-3-4:F /c /l & pause" [HKEY_CLASSES_ROOT\Directory\shell\TakeOwnership] @="Take Ownership" "AppliesTo"="NOT (System.ItemPathDisplay:=\"C:\\Users\" OR System.ItemPathDisplay:=\"C:\\ProgramData\" OR System.ItemPathDisplay:=\"C:\\Windows\" OR System.ItemPathDisplay:=\"C:\\Windows\\System32\" OR System.ItemPathDisplay:=\"C:\\Program Files\" OR System.ItemPathDisplay:=\"C:\\Program Files (x86)\")" "Extended"=- "HasLUAShield"="" "NoWorkingDirectory"="" "Position"="middle" [HKEY_CLASSES_ROOT\Directory\shell\TakeOwnership\command] @="powershell -windowstyle hidden -command \"Start-Process cmd -ArgumentList '/c takeown /f \\\"%1\\\" /r /d Y && icacls \\\"%1\\\" /grant *S-1-3-4:F /t /c /l & pause' -Verb runAs\"" "IsolatedCommand"="powershell -windowstyle hidden -command \"Start-Process cmd -ArgumentList '/c takeown /f \\\"%1\\\" /r /d Y >> \"C:\\Windows\\Logs\\Takeown.txt\" && icacls \\\"%1\\\" /grant *S-1-3-4:F /t /c /l & pause' -Verb runAs\"" [HKEY_CLASSES_ROOT\Drive\shell\runas] @="Take Ownership" "Extended"=- "HasLUAShield"="" "NoWorkingDirectory"="" "Position"="middle" "AppliesTo"="NOT (System.ItemPathDisplay:=\"C:\\\")" [HKEY_CLASSES_ROOT\Drive\shell\runas\command] @="cmd.exe /c takeown /f \"%1\\\" /r /d y && icacls \"%1\\\" /grant *S-1-3-4:F /t /c" "IsolatedCommand"="cmd.exe /c takeown /f \"%1\\\" /r /d y && icacls \"%1\\\" /grant *S-1-3-4:F /t /c"
NOTE: take note that the Y character of /r /d Y of the command takeown /f /r /d Y is language-dependent, so if you have and English version the Y wil be good, if French it will be "O" (for Oui), if Italian it will be "S" (for Si), and so on, so this character will need to be changed before merging the new registry keys and values in your Windows Registry.
The following alternative code will enable the Take Ownership command only with the Shift combination of your keyboard with the right-click of the mouse, on files, folders and drives:
Windows Registry Editor Version 5.00 [-HKEY_CLASSES_ROOT\*\shell\TakeOwnership] [-HKEY_CLASSES_ROOT\*\shell\runas] [HKEY_CLASSES_ROOT\*\shell\runas] @="Take Ownership" "Extended"="" "HasLUAShield"="" "NoWorkingDirectory"="" "Position"="middle" [HKEY_CLASSES_ROOT\*\shell\runas\command] @="cmd.exe /c takeown /f \"%1\" >> \"C:\\Windows\\Logs\\Takeown.txt\" && icacls \"%1\" /grant *S-1-3-4:F /c /l >> \"C:\\Windows\\Logs\\Takeown.txt\"" "IsolatedCommand"="cmd.exe /c takeown /f \"%1\" >> \"C:\\Windows\\Logs\\Takeown.txt\" && icacls \"%1\" /grant *S-1-3-4:F /c /l >> \"C:\\Windows\\Logs\\Takeown.txt\"" [HKEY_CLASSES_ROOT\Directory\shell\TakeOwnership] @="Take Ownership" "AppliesTo"="NOT (System.ItemPathDisplay:=\"C:\\Users\" OR System.ItemPathDisplay:=\"C:\\ProgramData\" OR System.ItemPathDisplay:=\"C:\\Windows\" OR System.ItemPathDisplay:=\"C:\\Windows\\System32\" OR System.ItemPathDisplay:=\"C:\\Program Files\" OR System.ItemPathDisplay:=\"C:\\Program Files (x86)\")" "Extended"="" "HasLUAShield"="" "NoWorkingDirectory"="" "Position"="middle" [HKEY_CLASSES_ROOT\Directory\shell\TakeOwnership\command] @="powershell -windowstyle hidden -command \"Start-Process cmd -ArgumentList '/c takeown /f \\\"%1\\\" /r /d Y >> \"C:\\Windows\\Logs\\Takeown.txt\" && icacls \\\"%1\\\" /grant *S-1-3-4:F /t /c /l >> \"C:\\Windows\\Logs\\Takeown.txt\"' -Verb runAs\"" "IsolatedCommand"="powershell -windowstyle hidden -command \"Start-Process cmd -ArgumentList '/c takeown /f \\\"%1\\\" /r /d Y >> \"C:\\Windows\\Logs\\Takeown.txt\" && icacls \\\"%1\\\" /grant *S-1-3-4:F /t /c /l >> \"C:\\Windows\\Logs\\Takeown.txt\"' -Verb runAs\"" [HKEY_CLASSES_ROOT\Drive\shell\runas] @="Take Ownership" "Extended"="" "HasLUAShield"="" "NoWorkingDirectory"="" "Position"="middle" "AppliesTo"="NOT (System.ItemPathDisplay:=\"C:\\\")" [HKEY_CLASSES_ROOT\Drive\shell\runas\command] @="cmd.exe /c takeown /f \"%1\\\" /r /d y && icacls \"%1\\\" /grant *S-1-3-4:F /t /c" "IsolatedCommand"="cmd.exe /c takeown /f \"%1\\\" /r /d y && icacls \"%1\\\" /grant *S-1-3-4:F /t /c"
NOTE: take note that the Y character of /r /d Y of the command takeown /f /r /d Y is language-dependent, so if you have and English version the Y wil be good, if French it will be "O" (for Oui), if Italian it will be "S" (for Si), and so on, so this character will need to be changed before merging the new registry keys and values in your Windows Registry.
Finally, the following .reg file will remove completely the added Take Ownership command from the right-click context menu:
Windows Registry Editor Version 5.00 [-HKEY_CLASSES_ROOT\*\shell\TakeOwnership] [-HKEY_CLASSES_ROOT\*\shell\runas] [-HKEY_CLASSES_ROOT\Directory\shell\TakeOwnership] [-HKEY_CLASSES_ROOT\Drive\shell\runas]
Download
The following download will let you to enable the Take Ownership command in right-click context menu (on files, folders and drives except C:\ volume) in Windows 10.
TakeOwn (Windows Registry Files)