Jump to content

Replace all NTFS ACL Inherit´s without taking Ownership


R4D3

Recommended Posts

After much of tests i was able to write a Powershell Script, that replace, all inherits of all folders and subfolders (even the one with long names), without taking the Ownership !

Reasons:

- Taking the Ownership of a Windows Folder can make much Problems ! (I dont like solutions, that can make more problems than they solve, and i even dont like it, if people say, dont change Permissions of systemfolders ;) blabla

- Me, the Owner of my Harddrive, like to have R/W Permissions to all Folders, but some folders get there permission inherit from a Top Folder, and so, i wasnt able to set their permissions... so many commands iacls, dir -ad, some powershell commands and ways, just didn´t do it, but i was able to to it (R4 never gives up...)

1) You need to allow Powershellscripts - in a Powershell console (with Adminrights) run: Set-ExecutionPolicy RemoteSigned (maybe "unrestricted could do the job too, you can set it back to restricted later)

2) Then run the script (with Adminrights too)

3) THis could take a while !!! Some really rare folders (probably Symbolic NTFS Links, Junctions or Similar) give Errormessages, - you can ignore it !

cd "C:\"
foreach ($i in Get-ChildItem -Recurse -Force| ?{ $_.PSIsContainer}) {
   echo $i.FullName
   $acl=Get-ACL $i.FullName
   $acl.SetAccessRuleProtection($True, $True)
   Set-Acl $i.FullName -AclObject $acl
}

(this little success brings me some steps forward, in getting a clean os, - next step is setting r/w permissions for buildIN Admin, and then check the 1355 dll´s i identified, that can be called by regsvr32) - (maybe i could replace reginherits too...)

mfg

R4D3

 

Edit: Uhm, sorry my Script seems to switch all folderinherits like 180 degree (good for folders with inherits, but not for folders without - SetAccessRuleProtection($True, $False) seems to be better, and with giving Adminrights this hopefully does it: Edit: Just moved $acl.SetAccessRuleProtection($True, $True) before the new rule (cause, first the existing inherits must be replaced with local one, before the new-Object Rule, took them off and give Built-In Admin permissions....

cd "C:\"
foreach ($i in Get-ChildItem -Recurse -Force| ?{$_.PSIsContainer}){
 echo $i.FullName
 $acl=Get-ACL $i.FullName
 $person=[System.Security.Principal.NTAccount]"BUILTIN\Administrators"
 $access=[System.Security.AccessControl.FileSystemRights]"FullControl"
 $inheritance=[System.Security.AccessControl.InheritanceFlags]"ObjectInherit"
 $propagation=[System.Security.AccessControl.PropagationFlags]"None"
 $type=[System.Security.AccessControl.AccessControlType]"Allow"
 $acl.SetAccessRuleProtection($True, $True)
 $rule=New-Object System.Security.AccessControl.FileSystemAccessRule($person,$access,$inheritance,$propagation,$type)
 $acl.AddAccessRule($rule)
 $acl.SetAccessRule($rule)
 Set-Acl $i.FullName -AclObject $acl
}

 

Edited by R4D3
Link to comment
Share on other sites


Just a Notize: - Not sure - did my First Script switch all inherits ??? (remove inherit where one is, and make one where no is) - instead removing all of them ???? (if yes, how to fix that `d*** i hate inherits! - Fixed It - see Edit above)

- Now i am trying to remove all inherits from Registry (HKEY_USERS and HKEY_LOCAL_MACHINE)  - but hell - i am sitting since days on it, without getting it... - maybe someone can help...

Note: The Google Key is just for Testing, - it should run at HKU and HKLM as root normally) - Edit: It works with the "Powerrun" Tool Alacran posted - but only for this key - running for whole HKLM, just crash Powershell.... - and destroy windows ;)

foreach ($i in Get-ChildItem Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Google -Recurse -Force -Name) {
   $name=-join("HKLM:\SOFTWARE\Google","\$i")
   echo $name
   $acl=Get-Acl $name
   $person=[System.Security.Principal.NTAccount]"BUILTIN\Administrators"
   $access=[System.Security.AccessControl.RegistryRights]"FullControl"
   $inheritance=[System.Security.AccessControl.InheritanceFlags]"ObjectInherit"
   $propagation=[System.Security.AccessControl.PropagationFlags]"None"
   $type=[System.Security.AccessControl.AccessControlType]"Allow"
   $acl.SetAccessRuleProtection($True, $True)
   $rule=New-Object System.Security.AccessControl.RegistryAccessRule($person,$access,$inheritance,$propagation,$type)
   $acl.AddAccessRule($rule)
   $acl.SetAccessRule($rule)
   Set-Acl $name $acl
}
Edited by R4D3
Link to comment
Share on other sites

You may also try ExecTI - Run as TrustedInstaller from Winaero: http://winaero.com/download.php?view.1991

Or NSudo from M2Team: https://github.com/M2Team/NSudo

This last one has more options, run as TrustedInstaller, System, Administrator, etc and you can have several at the same time, also I think it runs in PowerShell, sounds like the tool you need.

I haven't use it. But I read good comments about it in MDL: https://forums.mydigitallife.info/threads/m2-team-nsudo-new-version-4-0.59268/

alacran

Edited by alacran
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...