Tuesday, November 24, 2015

Set-ACL "The Security Identifier is not allowed to be the owner of this object"

When using PowerShell to set the DACL of an object in PowerShell you may get the error:

"The Security Identifier is not allowed to be the owner of this object"

$FolderPath = "C:\Temp"
$ACL = Get-ACL $FolderPath
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($UserName, "Modify, Synchronize","ContainerInherit, ObjectInherit", "None", "Allow")
$ACL.SetAccessRule($AccessRule)
Set-ACL $FolderPath $ACL

The mystery for me was that I wasn't trying to modify the owner, just the DACL. The interesting thing about this case, is that the issue lies with the Get-ACL.

Whaaa! Well the limited features of Get-ACL means that you always read the full security descriptor including the owner whether you intended to or not. That means that when you come to write to the object based on a modified version of what you read, you are attempting to write back to the owner attribute.

The solution is to replace

$ACL = Get-ACL $FolderPath

With

$ACL = (Get-Item $FolderPath).GetAccessControl('Access')

The GetAccessControl('Access') method reads only the DACL so when you write it back you are not trying to write something you did not intend to.

Cheers!






15 comments:

  1. UnknownJuly 4, 2017 at 7:01 AM


    This is a perfect way to change permissions. Instead of using external modules
    Thank you for this :)

    This helped me so much.

    ReplyDelete
  2. AnonymousAugust 30, 2018 at 7:25 AM

    Hugely helpful!! Many thanks!

    ReplyDelete
  3. UnknownJanuary 25, 2019 at 5:56 AM

    This worked perfectly! Thanks!

    ReplyDelete
  4. AnonymousDecember 10, 2020 at 12:24 AM

    Gee - I just had the same problems and this article helped me solving it in 2 minutes. Thanks!!!

    Bastian

    ReplyDelete
  5. AnonymousJune 21, 2021 at 8:49 AM

    Six years after, still useful. Thank you!

    ReplyDelete
  6. JackJuly 14, 2021 at 6:49 PM

    Awesome post. thank you. Still relevant ttoday!

    ReplyDelete
  7. AnonymousSeptember 21, 2021 at 1:21 AM

    Much thanks! Helped me a lot.

    ReplyDelete
  8. AnonymousOctober 5, 2021 at 12:38 PM

    Just wanted to one-up saying this was useful.
    Once I knew this I wrote the command like
    Set-Acl $target (Get-Item $source).GetAccessControl('Access')
    to have it on one line.

    ReplyDelete
  9. AnonymousOctober 11, 2021 at 7:46 AM

    This shouldn't be necessary if MS improved get/set-ACL, but due the lack of that you had to do this great job ;-)

    Thanks a lot for sharing

    ReplyDelete
  10. AnonymousJanuary 20, 2022 at 9:01 AM

    Super helpful, thanks!

    ReplyDelete
  11. AnonymousJanuary 20, 2022 at 5:08 PM

    thank you for the great solution. Helped me a lot.

    ReplyDelete
  12. PaleeeJune 30, 2022 at 12:35 PM

    This was posted on my birthday (Coincidence? I think not!) 7 years ago - and it's still relevant! Man, you helped me a lot! Many thanks!

    ReplyDelete
  13. AnonymousSeptember 29, 2022 at 1:18 PM

    Just a baby engineer in her first job dropping in to let you know that this solved my problem in 2022. Thank you!

    ReplyDelete
  14. Steve SignorelliMay 23, 2023 at 5:35 PM

    Very helpful for unlocking and re-locking the "C:\Windows\System32\spool\drivers" path allowing Windows Server Backups when the system has the PrintNightmare mitigation implemented. Thank you so much for the guidance!

    ReplyDelete
  15. AnonymousNovember 1, 2023 at 11:27 AM

    Yep, saved my day

    ReplyDelete

Subscribe to: Post Comments (Atom)