Repairing fubar directory permissions

Have you ever had to deal with a deep, dark directory tree where somebody has completely fubar’d the permissions?  Something like, where even as an administrator – nay, even as owner, you cannot browse around?  When you try to take ownership, you still can’t browse without resetting all the permissions?  My friends, I say unto you: Terrible.

So, here is a little script I put together that will crawl a directory, change the ownership on all objects to Administrators, and then add a ‘READ’ permission to a specific user.  Obviously it could be tweaked even further, but I just recently ran this and made 2.5 TB of gnarly directories readable (or in my case, back-up-able).

function toa {
	takeown /F * /A

function icg {
	dir | select -ExpandProperty name | % {
	icacls $_ /grant "domain\FOLDERREADER:(OI)(CI)R"

function hitEachDirectory($root) {
	dir $root | ? {$_.psiscontainer -eq $true} | % {
		cd $
		hitEachDirectory $pwd.path

With this code in place – from a PowerShell (running as a Domain Admin), I went to the directory structure in question and ran the following:

hitEachDirectory .

And walked away.  Some 16 hours later, every file and every folder had the ownership reset to “Administrators” and every file had a new ACL added for a user called “domain\FOLDERREADER”. This user, was only going to be used to backup the entire tree to a new location.

I should note that there were some issues where Windows bitched about the path was too deep, but PowerShell seemed to handle it without issue (but to be fair, I didn’t really do a deep analysis of the permissions of those warnings before and after).

Anyway – hope this helps!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s