Tuesday, November 24, 2015

Set-ACL "The Security Identifier is not allowed to be the owner of this object"

When using PowerShell to set the DACL of an object in PowerShell you may get the error:

"The Security Identifier is not allowed to be the owner of this object"

$FolderPath = "C:\Temp"
$ACL = Get-ACL $FolderPath
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($UserName, "Modify, Synchronize","ContainerInherit, ObjectInherit", "None", "Allow")
$ACL.SetAccessRule($AccessRule)
Set-ACL $FolderPath $ACL

The mystery for me was that I wasn't trying to modify the owner, just the DACL. The interesting thing about this case, is that the issue lies with the Get-ACL.

Whaaa! Well the limited features of Get-ACL means that you always read the full security descriptor including the owner whether you intended to or not. That means that when you come to write to the object based on a modified version of what you read, you are attempting to write back to the owner attribute.

The solution is to replace

$ACL = Get-ACL $FolderPath

With

$ACL = (Get-Item $FolderPath).GetAccessControl('Access')

The GetAccessControl('Access') method reads only the DACL so when you write it back you are not trying to write something you did not intend to.

Cheers!






1 comment:


  1. This is a perfect way to change permissions. Instead of using external modules
    Thank you for this :)

    This helped me so much.

    ReplyDelete