Tuesday, November 24, 2015

Set-ACL "The Security Identifier is not allowed to be the owner of this object"

When using PowerShell to set the DACL of an object in PowerShell you may get the error:

"The Security Identifier is not allowed to be the owner of this object"

$FolderPath = "C:\Temp"
$ACL = Get-ACL $FolderPath
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($UserName, "Modify, Synchronize","ContainerInherit, ObjectInherit", "None", "Allow")
$ACL.SetAccessRule($AccessRule)
Set-ACL $FolderPath $ACL

The mystery for me was that I wasn't trying to modify the owner, just the DACL. The interesting thing about this case, is that the issue lies with the Get-ACL.

Whaaa! Well the limited features of Get-ACL means that you always read the full security descriptor including the owner whether you intended to or not. That means that when you come to write to the object based on a modified version of what you read, you are attempting to write back to the owner attribute.

The solution is to replace

$ACL = Get-ACL $FolderPath

With

$ACL = (Get-Item $FolderPath).GetAccessControl('Access')

The GetAccessControl('Access') method reads only the DACL so when you write it back you are not trying to write something you did not intend to.

Cheers!






10 comments:


  1. This is a perfect way to change permissions. Instead of using external modules
    Thank you for this :)

    This helped me so much.

    ReplyDelete
  2. Hugely helpful!! Many thanks!

    ReplyDelete
  3. Gee - I just had the same problems and this article helped me solving it in 2 minutes. Thanks!!!

    Bastian

    ReplyDelete
  4. Six years after, still useful. Thank you!

    ReplyDelete
  5. Awesome post. thank you. Still relevant ttoday!

    ReplyDelete
  6. Much thanks! Helped me a lot.

    ReplyDelete
  7. Just wanted to one-up saying this was useful.
    Once I knew this I wrote the command like
    Set-Acl $target (Get-Item $source).GetAccessControl('Access')
    to have it on one line.

    ReplyDelete
  8. Very helpful for unlocking and re-locking the "C:\Windows\System32\spool\drivers" path allowing Windows Server Backups when the system has the PrintNightmare mitigation implemented. Thank you so much for the guidance!

    ReplyDelete