2003 SP2 & icacls /setowner

[lightsout]

I'm having some real trouble with icacls on 2003 SP2, I can't get it to assign ownership. Takeown works fine, but I want to assign ownership to another user using script. xcacls.vbs is too slow to do this on the amount of files.

Here is a demo:

C:\>echo wibble > c:\wibble.txt

C:\>icacls c:\wibble.txt

c:\wibble.txt BUILTIN\Administrators:(F)

BUILTIN\Administrators:(I)(F)

NT AUTHORITY\SYSTEM:(I)(F)

BUILTIN\Users:(I)(RX)

Successfully processed 1 files; Failed processing 0 files

C:\>icacls c:\wibble.txt /setowner guest

c:\wibble.txt: Access is denied.

Successfully processed 0 files; Failed processing 1 files

C:\>icacls c:\wibble.txt /setowner guest2

No mapping between account names and security IDs was done.

Successfully processed 0 files; Failed processing 0 files

The second test was just to show that is recognised the account involved. I've tried several systems we've got, even in different forests and they all do the same thing. I've tried using the SID instead, and that doesn't help. I've tried using a UNC path through c$ and it that doesn't work. So I'm stuck!

Anyone got any ideas?

[cluberti]

Have you run process monitor (sysinternals) while running the script to see if you can determine why it's failing?

[lightsout]

Logfile.txt

Attached a CSV output from procmon, which was a good idea to try, but I can't see anything obvious as to why it is failing. Certainly no "access denied".

[nmX.Memnoch]

Try SubInACL.

subinacl /noverbose /nostatistic /subdirectories <path> /setowner=<domain>\<user>

I know that doesn't answer why icacls isn't working but at least you can see if SubInACL will at least let you complete your project and then troubleshoot icacle.

EDIT: Weird...I got the same "No mapping between account names and security IDs was done" error when using a group name. When I used a user name I got the "Access denied" error...and I'm logged in as the (renamed) domain admin account.

D:\>icacls D:\wibble.txt /setowner #########\Administrators
No mapping between account names and security IDs was done.
Successfully processed 0 files; Failed processing 0 files

Edited March 29, 2007 by nmX.Memnoch

[cluberti]

Actually, I do see some interesting not founds, all regarding SAM locations. Again, not sure it's the issue, but I'm not sure it isn't. Check lines 16594 - 16599 and 16608-16613 to see what I mean. What happens if you run this command as the system account?

[lightsout]

I did see that, but I believe it was trying to see if it was a local account before looking to the domain.

Using psexec I ran icacls as a system account, but it didn't make any difference.

If I use subinacl, I'll be ok I think. The main thing is that icacls /reset so I can propagate inherited permissions correctly. I could never get setacl to do it correctly!

[nmX.Memnoch]

Subdirectories and files have the 'inherit' flag set by default so all you should have to do is set the parent directory permissions. Also, if the subdirectories/files are made after you set the permissions then they should inherit permissions correctly.

Here's an edited copy of a KiX script I used for something we were going to do a while back. It makes use of showmbrs.exe (to get the user names from a specific group), xcacls.exe (to set the permissions...note that I'm not use the VBS version) and subinacl.exe (to set the directory/file owner). We were originally going to do folder redirection for our users but then some other things that came up forced us to back off on that idea. Anyway...maybe it'll give you some ideas.

Break On

$U = "F:\Users"
Shell '%COMSPEC% /C showmbrs.exe "<domain>\<user_group>" > @SCRIPTDIR\<filename>.txt'

If Open(1,"@SCRIPTDIR\<filename>.txt",2) = 0
   $LINE = ReadLine(1)
   While @ERROR = 0
	  If InStr($LINE,"   ") And Not InStr($LINE,"<part_of_group_name>")
		 $USR  = Trim($LINE)
		 ? "$USR"
		 If Exist("$U\$USR\") = 0
			MD "$U\$USR"
			Shell '%COMSPEC% /C XCACLS.EXE "$U\$USR" /G Administrators:F /Y'
			Shell '%COMSPEC% /C XCACLS.EXE "$U\$USR" /E /G SYSTEM:F'
			Shell '%COMSPEC% /C XCACLS.EXE "$U\$USR" /E /G "<domain>\$USR":C'
			MD "$U\$USR\My Documents"
			MD "$U\$USR\Outlook"
			MD "$U\$USR\Favorites"
			MD "$U\$USR\Desktop"
			Shell '%COMSPEC% /C SUBINACL.EXE /noverbose /nostatistic /subdirectories $U\$USR /setowner=RANDOLPH\$USR'
			Shell '%COMSPEC% /C SUBINACL.EXE /noverbose /nostatistic /subdirectories $U\$USR\* /setowner=RANDOLPH\$USR'
		 EndIf
	  EndIf
	  $LINE = ReadLine(1)
   Loop
   $X = Close(1)
EndIf

[danholme]

For whomever runs across this post, I have replicated the behavior:

ICACLS path /SETOWNER DOMAIN\Username

DOES NOT WORK on Windows Server 2003 SP2.

There MUST be a bug in the application, because I can run the exact same command, logged on as the exact same user, against the same path, from a Windows Vista SP1 system (which has a new version of icacls), and it works. It seems to me that by doing this test I've ruled out user credentials problems, permissions problems, user rights problems... the only "variable" is the version of icacls.exe.

[volcanojoe]

I just ran into this dying issue, seeing how most of our servers are now 2008. but there is a hot fix that will get you back up and running

http://support.microsoft.com/kb/947870

I had this issue and then after installing the hotfix I ran the same script without making changes and it worked perfectly.