Skip to main content

How to Find All Files Owned by a Specific User in Batch Script

In Windows systems administration, knowing who owns what is often more important than knowing who has access. The "Owner" of a file has the unique ability to change its permissions, even if they are currently denied access by the ACL. Identifying all files owned by a specific user, such as a former employee or a service account that is consuming too much disk space, is a foundational task for auditing and maintenance.

While you can see ownership in the "Security" tab of a file's properties, searching for ownership across thousands of files requires a Batch script. In this guide, we will use the dir /Q command and the icacls utility to track down a specific user's footprint across the file system.

Method 1: Finding Ownership with DIR /Q

The most direct way to find files by owner in a Batch script is the dir /Q command, which displays the owner of each file alongside the standard directory listing details. By combining it with findstr, you can filter the output to show only files owned by a specific user.

The Ownership Report Script

@echo off
setlocal

:: Define who we are looking for and where
set "searchUser=jdoe"
set "searchRoot=D:\DataStorage"
set "reportFile=owner_audit_report.txt"

echo Searching for files owned by %searchUser% in %searchRoot%...
echo This may take a while depending on the folder size.
echo --------------------------------------------------

:: /S = Recursive through subdirectories
:: /Q = Display the owner of each file
:: findstr filters the output to lines containing the target username
dir /S /Q "%searchRoot%" 2>nul | findstr /i /C:"%searchUser%" > "%reportFile%"

if %ERRORLEVEL% EQU 0 (
    echo.
    echo Files found. Results saved to %reportFile%.
) else (
    echo.
    echo No files owned by %searchUser% were found.
)

echo --------------------------------------------------
endlocal
pause

The output includes dates, file sizes, and the owner's identity (displayed as DOMAIN\username), making it suitable for readable audit reports. Note that because findstr performs a substring match across the entire line, it may produce false positives if the username also appears in a file path or filename.

Method 2: Finding ACL References with ICACLS /FINDSID

While dir /Q searches file ownership, the icacls /findsid switch serves a complementary purpose: it scans a directory tree and returns files where the specified user or SID appears in the Access Control List. This does not search ownership, but it is valuable for building a complete picture of a user's footprint on the file system, showing everywhere they have been explicitly granted or denied permissions.

The ACL Search Script

@echo off
setlocal

:: Define who we are looking for and where
set "targetUser=DOMAIN\jdoe"
set "searchRoot=D:\DataStorage"

echo Searching for ACL entries referencing %targetUser% in %searchRoot%...
echo This may take a while depending on the folder size.
echo --------------------------------------------------

:: /findsid = List files where this user or SID appears in the ACL
:: /T = Traverse subdirectories (recursion)
:: /C = Continue on errors (skip locked files)
icacls "%searchRoot%" /findsid "%targetUser%" /T /C

echo --------------------------------------------------
endlocal
pause

Comparison: DIR /Q vs. ICACLS /FINDSID

Featuredir /Q with findstricacls /findsid
What it findsFiles owned by the specified userFiles where the user appears in the ACL
RecursionNative (/S)Native (/T)
Output detailDate, size, owner, and filenameFile paths and ACL entries
LimitationsText matching may produce false positives if the username appears in file pathsDoes not search ownership
info

Handling deleted accounts: When a user is deleted from Active Directory, their human-readable name is replaced by a raw SID string (e.g., S-1-5-21-...) in both ownership records and ACL entries. If you are searching for a former employee whose account has been deleted, you must search using their SID rather than their username. Both dir /Q (which displays the raw SID as the owner) and icacls /findsid (which accepts a SID string as input) can work with these orphaned identifiers, provided you know the SID.

Handling Large Scans

Scanning an entire 10TB file server for ownership is a heavy operation. It requires opening the security metadata of every single file on the disk.

Best Practices for Large Audits:

  1. Run as Administrator: If the script lacks permission to read a folder, it cannot see who owns the files inside it.
  2. Output to File: Always redirect output to a report file instead of printing to the screen. Console output is significantly slower than writing directly to a disk file.
  3. Target Subdirectories: Instead of scanning C:\ from the root, try to narrow your search to specific user profile directories or share roots.

Conclusion

Finding files by owner via Batch script provides a level of transparency that graphical tools simply cannot match. Use dir /Q to search file ownership directly, and complement it with icacls /findsid to discover where a user has been granted or denied permissions. Together, these tools give you a complete picture of a user's footprint across the file system. Regular ownership audits help manage disk quotas effectively and ensure that system-level files remain under administrative control.

Table of Contents