Hey, Scripting Guy! How Can I Use Windows PowerShell to Determine the Owner of a File?

Hey, Scripting Guy! Is it possible to determine the owner of a file using Windows PowerShell?
— GF

Although, in all honesty, he didn’t need all that much time to do that, either:

Get-Acl C:\Scripts\Test.txt

Believe it or not, that’s the entire script; all we have to do to determine the owner of a file is call the Get-Acl cmdlet, passing Get-Acl the path to the file in question. In turn, Get-Acl will report back information similar to this:

Directory: Microsoft.PowerShell.Core\FileSystem::C:\Scripts

Path Owner Access —- —– —— Test.txt FABRIKAM\kenmyer BUILTIN\Administrators Allow FullCo…

Not bad, huh? If all you care about is the name of the owner then pipe the results to the Select-Object cmdlet, like so:

Get-Acl C:\Scripts\Test.txt | Select-Object Owner

That will give you information similar to this:


Or, if you’d like to see the complete security descriptor, pipe the output to the Format-List cmdlet:

Get-Acl C:\Scripts\Test.txt | Format-List
Path   : Microsoft.PowerShell.Core\FileSystem::C:\Scripts\Test.txt
Owner  : FABRIKAM\kenmyer
Group  : FABRIKAM\Domain Users
Access : BUILTIN\Administrators Allow  FullControl
         NT AUTHORITY\SYSTEM Allow  FullControl
         FABRIKAM\kenmyer Allow  FullControl
         BUILTIN\Users Allow  ReadAndExecute, Synchronize
Audit  :
Sddl   : O:S-1-5-21-1454471165-1004336348-1606980848-8183G:DUD:AI(A;ID;FA;;;BA)(A;ID;FA;;;SY)

For example, suppose Wesley wanted to get a list of owners for all the files in the folder C:\Scripts. That’s no problem; after all, the Get-Acl cmdlet does accept wildcard characters:

Get-Acl C:\Scripts\*.*
    Directory: Microsoft.PowerShell.Core\FileSystem::C:\Scripts

Path Owner Access —- —– —— Example.txt FABRIKAM\kenmyer BUILTIN\Administrators Allow FullCo… Test.txt FABRIKAM\pilarackerman BUILTIN\Administrators Allow FullCo… Trial.txt FABRIKAM\kenmyer BUILTIN\Administrators Allow FullCo…

Pretty cool, huh? Of course, while Get-Acl does accept wildcard characters, what it doesn’t accept is some sort of –recurse parameter that would enable you to retrieve the owners of all the files located in any subfolders of C:\Scripts. But that’s OK, too; after all, the Get-ChildItem cmdlet does accept the –recurse parameter. That means we can retrieve the file owners for all the files in C:\Scripts and its subfolders by using this command:

Get-ChildItem C:\Scripts -recurse | ForEach-Object {Get-Acl $_.FullName}

There’s nothing particularly complicated about that command, either: we simply use Get-ChildItem and the –recurse parameter to retrieve the collection of files found in C:\Scripts and its subfolders, then pipe that collection to the ForEach-Object cmdlet. In turn, we ask ForEach-Object to run the Get-Acl cmdlet against each and every file in that collection, using the value of the FullName property as Get-Acl’s file path parameter.

Who would have guessed that file ownership scripting could be so much fun, eh? In fact, like Wesley Snipes, we’re having such a good time today we thought we’d try one more script. It is pretty cool that you can determine the owner of a file by running a simple little Windows PowerShell script. But you know what would be really cool? It would be really cool if you could take ownership of a file by running a simple little Windows PowerShell script. You know, maybe a script like this one:

$objUser = New-Object System.Security.Principal.NTAccount(“fabrikam”, “kenmyer”)
$objFile = Get-Acl C:\Scripts\Test.txt
Set-Acl -aclobject $objFile -path C:\Scripts\Test.txt

Much like the Scripting Guy who writes this column’s income for the year 2007, there’s really not much to this script. In line 1 we use the New-Object cmdlet to create an instance of the System.Security.Principal.NTAccount class, a .NET Framework class used to represent a user account. When creating an instance of this class we need to pass two parameters: the name of our domain (fabrikam) and the name of our user account (kenmyer).

Note. That’s a good question, and as far as we know the answer is this: assuming you want to stay out of jail then, yes, you do have to pay income tax in the US. As for your other question, the answer is no: although you can take ownership of a file using Windows PowerShell, we don’t believe that you can give ownership of a file to someone else. To transfer ownership to another user you’ll need to use the Windows Resource Kit utility Subinacl.exe.

As far as we know, anyway.

After we create an instance of the NTAccount class we use the Get-Acl cmdlet to retrieve the security descriptor from the file C:\Scripts\Test.txt; that’s what we do here:

$objFile = Get-Acl C:\Scripts\Test.txt

Once we have the security descriptor we can use the SetOwner method to assign ourselves ownership of the file:


Well, sort of. What the SetOwner method does is assign ownership to the virtual copy of the security descriptor that we retrieved using Get-Acl. To take ownership of the actual file itself we need to use the following Set-Acl command:

Set-Acl -aclobject $objFile -path C:\Scripts\Test.txt

That should give you ownership of the file.

