How do I give administrators access to a folder without destroying current permissions?
Some careful digging reveals that taking ownership sometimes destroys existing permissions and sometimes doesn't. It all seems to depend on whether you try and do it recursively. Note that Windows does warn you when it is going to replace the existing permissions, but (in the GUI at least) it's very easy to just OK the message without reading or understanding it fully.
To see it, you'll need a directory (c:\SomeFolder in this example) that is owned by a different user account and to which you and the administrators group have zero access.
Command Line
Using the command line "takeown" tool:
TAKEOWN /A /R /F c:\SomeFolder
you should see something like
SUCCESS: The file (or folder) "c:\SomeFolder" is now owned by the administrators group.
You do not have permissions to read the contents of the directory "c:\SomeFolder"
Do you want to replace the directory permissions with permissions granting you full control ("Y" for YES, "N" for NO, "C" for CANCEL)?
Note that if you answer yes here, it really does mean replace the permissions. Any existing permissions will get destroyed. If you answer no, you still have no permissions on the folder but are now the owner so can give yourself permissions normally and without destroying any that already exist.
If you don't specify the recursive flag (/R), you don't get the warning and the owner is changed without affecting any other permissions.
GUI
You'll need to use the "security" tab of the properties window to alter anything via the GUI. This gives you two buttons: "continue" and "advanced". Advanced gives you a window with the four tabs: "permissions", "auditing", "owner" and "effective permissions". Continue gives you just the "owner" tab.
If you select a new owner and tick the "apply to sub-folders" box, hitting OK or apply gives you a "Do you want to replace the permissions" message box that, again, really does mean replace permissions. If you don't check the sub-folders box, you don't get the warning and everything behaves as expected.
It is very easy to not read this message box fully, assume it's just another box asking you to confirm something non-destructive and just hit enter to OK it. It's also very easy to assume they couldn't possibly really mean replace because nobody sane would ever want to do that.
If you are not listed as "can read/change permissions" in the folder's ACL, you cannot change them, no matter who or what you are. All Users, Administrators, Builtins, even nt authority\system
, are treated equally by the security code. (The system-wide "Take ownership" privilege is an exception, but it cannot modify the ACL either, only reset it.)
You must log in as someone who is allowed to do this, either directly (username + password) or – if you have a lot of spare time – by doing some SeCreateTokenPrivilege wizardry.