#!powershell # This file is part of Ansible # # Copyright 2015, Hans-Joachim Kliemeck # # Ansible is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # Ansible is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Ansible. If not, see . # WANT_JSON # POWERSHELL_COMMON #Functions Function UserSearch { Param ([string]$accountName) #Check if there's a realm specified $searchDomain = $false $searchDomainUPN = $false if ($accountName.Split("\").count -gt 1) { if ($accountName.Split("\")[0] -ne $env:COMPUTERNAME) { $searchDomain = $true $accountName = $accountName.split("\")[1] } } Elseif ($accountName.contains("@")) { $searchDomain = $true $searchDomainUPN = $true } Else { #Default to local user account $accountName = $env:COMPUTERNAME + "\" + $accountName } if ($searchDomain -eq $false) { # do not use Win32_UserAccount, because e.g. SYSTEM (BUILTIN\SYSTEM or COMPUUTERNAME\SYSTEM) will not be listed. on Win32_Account groups will be listed too $localaccount = get-wmiobject -class "Win32_Account" -namespace "root\CIMV2" -filter "(LocalAccount = True)" | where {$_.Caption -eq $accountName} if ($localaccount) { return $localaccount.SID } } Else { #Search by samaccountname $Searcher = [adsisearcher]"" If ($searchDomainUPN -eq $false) { $Searcher.Filter = "sAMAccountName=$($accountName)" } Else { $Searcher.Filter = "userPrincipalName=$($accountName)" } $result = $Searcher.FindOne() if ($result) { $user = $result.GetDirectoryEntry() # get binary SID from AD account $binarySID = $user.ObjectSid.Value # convert to string SID return (New-Object System.Security.Principal.SecurityIdentifier($binarySID,0)).Value } } } $params = Parse-Args $args; $result = New-Object PSObject; Set-Attr $result "changed" $false; $path = Get-Attr $params "path" -failifempty $true $user = Get-Attr $params "user" -failifempty $true $recurse = Get-Attr $params "recurse" "no" -validateSet "no","yes" -resultobj $result $recurse = $recurse | ConvertTo-Bool If (-Not (Test-Path -Path $path)) { Fail-Json $result "$path file or directory does not exist on the host" } # Test that the user/group is resolvable on the local machine $sid = UserSearch -AccountName ($user) if (!$sid) { Fail-Json $result "$user is not a valid user or group on the host machine or domain" } Try { $objUser = New-Object System.Security.Principal.SecurityIdentifier($sid) $file = Get-Item -Path $path $acl = Get-Acl $file.FullName If ($acl.getOwner([System.Security.Principal.SecurityIdentifier]) -ne $objUser) { $acl.setOwner($objUser) Set-Acl $file.FullName $acl Set-Attr $result "changed" $true; } If ($recurse) { $files = Get-ChildItem -Path $path -Force -Recurse ForEach($file in $files){ $acl = Get-Acl $file.FullName If ($acl.getOwner([System.Security.Principal.SecurityIdentifier]) -ne $objUser) { $acl.setOwner($objUser) Set-Acl $file.FullName $acl Set-Attr $result "changed" $true; } } } } Catch { Fail-Json $result "an error occured when attempting to change owner on $path for $user" } Exit-Json $result