Most of us using TAKEOWN or ICACLS for taking ownership from command prompt, and both of them are simple to use.
We generally use TAKEOWN or ICACLS with following switches to taking the ownership.
takeown /F “PATH” /R /D Y /A
icacls “PATH” /T /setowner Administrators
But unfortunately, TAKEOWN & ICACLS both might failed on certain scenario, as there are some undocumented limitation. We had incident where we tried to take ownership of a shared location hosted on NetApp Filer. While using TAKEOWN, we are getting following error.
ERROR: The data area passed to a system call is too small.
And, while using ICACLS, we are getting Access Denied error, we are also getting same error while using windows GUI for taking the ownership. We tried almost everything, but still no luck. Additionally if we are using TAKEOWN command to take the ownership of a shared location, all existing permission getting replaced by Administrators group.
Finally we found SubInACL, which is a command-line tool from Microsoft that enables administrators to view / modify security information about files, registry keys, and services. This tool is much more complex and powerful than TAKEOWN & ICACLS. To execute this tool, user must be the member of the Administrators group of that shared location. We tried this tool with following switch to obtain the ownership.
First we took the root folder ownership using following
subinacl /file “PATH” /setowner=Administrators
Later we use following switches to take the ownership on all subfolders & files.
subinacl /subdirectories “PATH*.*” /setowner=Administrators
Once done, you will get following message.
Note: Using this tool unlike TAKEOWN, your existing permission will be intact.
Update: If you want to update permission of any folder, where you are not the owner, you can use this tool to update the permission without taking the ownership of that folder. You just have to be the member of local administrator group of that server or CIFS.
Disclaimer: All posts and opinions on this site are provided AS IS with no warranties. These are our own personal opinions and do not represent our employer’s view in any way.
This article currently have 45,654 views
This work is licensed under a Creative Commons Attribution-NoDerivatives 4.0 International License.
Thank you, I was having this issue with our NetApp share where the take ownership recursive wouldn’t work and was incredibly annoying.
You Welcome!
Hi
in different languages the admin is written in a different way.
it would be easyer to make the job with the id
e.q. subinacl /subdirectories “PATH*.*” /setowner=S-1-5-10?
its more secure 😉
What is the effect of setting it to user “SELF?” I thought you wanted to specify local Administrators SID for the name Administrators above? This would be “S-1-5-32-544” not “S-1-5-10.”
Well Known SID Reference:
https://support.microsoft.com/en-us/kb/243330
Hi Jim,
Thanks for the tips. 🙂
getting access denied even with this
Please make sure your account member of local administrators group.
That doesn’t always fix the problem.
There are two more reasons I can think of that would give access denied even running subinacl as admin.
1. There is a process holding an open file handle to the file.
2. Ntfs corruption
Fixes:
1. Can generally be fixed with unlocker or similar program that can close file handles
2. Do a chkdsk /f and repeat until the errors are fixed. If that doesn’t fix it, backup the files and wipe / reload
I am not sure about locked files, I never got Access Denied during applying permission on on-line file server during peak hours, but in case of corrupted files, it is true.
I tried everything and this doesn’t work either
takeown /A /R /D Y /F lolo
INFO: Access is denied. ( “C:\Users\lolo\Doctor Web\CureIt Quarantine” )
icacls lolo /t /c /GRANT administrators:F
lolo\Doctor Web\CureIt Quarantine: Access is denied.
icacls lolo /T /c /setowner Administrators
lolo\Doctor Web\CureIt Quarantine: Access is denied.
subinacl /file lolo /setowner=Administrators
SeBackupPrivilege : Access is denied.
subinacl /subdirectories lolo\*.* /setowner=Administrators
WARNING :Unable to set SeBackupPrivilege privilege. This privilege may be required.
C:\Users\lolo\Doctor Web\CureIt Quarantine – CreateFile Error : 5 Access is denied.
Administrators have full control over the Parent (C:\Users) and the disk (C:\)
I have no idea how to delete “CureIt Quarantine” folder. The security tab doesn’t even show up when I try to open properties on it.
It looks like ntfs corruption, try running chkdsk /f and then give it another. I am assuming that you are ruining subinacl from from the account which is member of local administrator group.
It was a locked file – I used IOBIT Unlocker to locate the process and stop it, then access denied was fixed
You can use PowerShell to get the list of the opened/locked fine and the you can close the locked file using it.
To get the list for files : Get-SmbOpenFile
To close the locked file : Close-SmbOpenFile