Jump to content
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble

MSFN is made available via donations, subscriptions and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. Alternatively, register and become a site sponsor/subscriber and ads will be disabled automatically. 

Sign in to follow this  
R4D3

Replace all NTFS ACL Inherit´s without taking Ownership

Recommended Posts

R4D3    3

After much of tests i was able to write a Powershell Script, that replace, all inherits of all folders and subfolders (even the one with long names), without taking the Ownership !

Reasons:

- Taking the Ownership of a Windows Folder can make much Problems ! (I dont like solutions, that can make more problems than they solve, and i even dont like it, if people say, dont change Permissions of systemfolders ;) blabla

- Me, the Owner of my Harddrive, like to have R/W Permissions to all Folders, but some folders get there permission inherit from a Top Folder, and so, i wasnt able to set their permissions... so many commands iacls, dir -ad, some powershell commands and ways, just didn´t do it, but i was able to to it (R4 never gives up...)

1) You need to allow Powershellscripts - in a Powershell console (with Adminrights) run: Set-ExecutionPolicy RemoteSigned (maybe "unrestricted could do the job too, you can set it back to restricted later)

2) Then run the script (with Adminrights too)

3) THis could take a while !!! Some really rare folders (probably Symbolic NTFS Links, Junctions or Similar) give Errormessages, - you can ignore it !

cd "C:\"
foreach ($i in Get-ChildItem -Recurse -Force| ?{ $_.PSIsContainer}) {
   echo $i.FullName
   $acl=Get-ACL $i.FullName
   $acl.SetAccessRuleProtection($True, $True)
   Set-Acl $i.FullName -AclObject $acl
}

(this little success brings me some steps forward, in getting a clean os, - next step is setting r/w permissions for buildIN Admin, and then check the 1355 dll´s i identified, that can be called by regsvr32) - (maybe i could replace reginherits too...)

mfg

R4D3

 

Edit: Uhm, sorry my Script seems to switch all folderinherits like 180 degree (good for folders with inherits, but not for folders without - SetAccessRuleProtection($True, $False) seems to be better, and with giving Adminrights this hopefully does it: Edit: Just moved $acl.SetAccessRuleProtection($True, $True) before the new rule (cause, first the existing inherits must be replaced with local one, before the new-Object Rule, took them off and give Built-In Admin permissions....

cd "C:\"
foreach ($i in Get-ChildItem -Recurse -Force| ?{$_.PSIsContainer}){
 echo $i.FullName
 $acl=Get-ACL $i.FullName
 $person=[System.Security.Principal.NTAccount]"BUILTIN\Administrators"
 $access=[System.Security.AccessControl.FileSystemRights]"FullControl"
 $inheritance=[System.Security.AccessControl.InheritanceFlags]"ObjectInherit"
 $propagation=[System.Security.AccessControl.PropagationFlags]"None"
 $type=[System.Security.AccessControl.AccessControlType]"Allow"
 $acl.SetAccessRuleProtection($True, $True)
 $rule=New-Object System.Security.AccessControl.FileSystemAccessRule($person,$access,$inheritance,$propagation,$type)
 $acl.AddAccessRule($rule)
 $acl.SetAccessRule($rule)
 Set-Acl $i.FullName -AclObject $acl
}

 

Edited by R4D3

Share this post


Link to post
Share on other sites
R4D3    3

Edit thx - i willi give it a try

Edited by R4D3

Share this post


Link to post
Share on other sites
aviv00    13

run as cmd Trustedinstaller or any app that can change ntfs

Share this post


Link to post
Share on other sites
R4D3    3

Just a Notize: - Not sure - did my First Script switch all inherits ??? (remove inherit where one is, and make one where no is) - instead removing all of them ???? (if yes, how to fix that `d*** i hate inherits! - Fixed It - see Edit above)

- Now i am trying to remove all inherits from Registry (HKEY_USERS and HKEY_LOCAL_MACHINE)  - but hell - i am sitting since days on it, without getting it... - maybe someone can help...

Note: The Google Key is just for Testing, - it should run at HKU and HKLM as root normally) - Edit: It works with the "Powerrun" Tool Alacran posted - but only for this key - running for whole HKLM, just crash Powershell.... - and destroy windows ;)

foreach ($i in Get-ChildItem Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Google -Recurse -Force -Name) {
   $name=-join("HKLM:\SOFTWARE\Google","\$i")
   echo $name
   $acl=Get-Acl $name
   $person=[System.Security.Principal.NTAccount]"BUILTIN\Administrators"
   $access=[System.Security.AccessControl.RegistryRights]"FullControl"
   $inheritance=[System.Security.AccessControl.InheritanceFlags]"ObjectInherit"
   $propagation=[System.Security.AccessControl.PropagationFlags]"None"
   $type=[System.Security.AccessControl.AccessControlType]"Allow"
   $acl.SetAccessRuleProtection($True, $True)
   $rule=New-Object System.Security.AccessControl.RegistryAccessRule($person,$access,$inheritance,$propagation,$type)
   $acl.AddAccessRule($rule)
   $acl.SetAccessRule($rule)
   Set-Acl $name $acl
}
Edited by R4D3

Share this post


Link to post
Share on other sites
alacran    23

You may also try ExecTI - Run as TrustedInstaller from Winaero: http://winaero.com/download.php?view.1991

Or NSudo from M2Team: https://github.com/M2Team/NSudo

This last one has more options, run as TrustedInstaller, System, Administrator, etc and you can have several at the same time, also I think it runs in PowerShell, sounds like the tool you need.

I haven't use it. But I read good comments about it in MDL: https://forums.mydigitallife.info/threads/m2-team-nsudo-new-version-4-0.59268/

alacran

Edited by alacran

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×