Tuesday, November 3, 2015

"The Security Identifier Is Not Allowed To Be The Owner Of The Object" when using Set-ACL

When you get the error "The Security Identifier Is Not Allowed To Be The Owner Of The Object" when using Set-ACL in PowerShell it really begs two questions:

1 - Why can the account not be the owner?
2 - Why is Set-ACL trying to change the owner?

Lets focus on number (2)

Get-ACL is a powerful command and extremely useful, however, in its current for is has limitations and is missing some features. It always reads the full security descriptor even if you just want to change the DACL. That is why it always tries to write to the OWNER even if you have not changed it. The alternative is to use the 'GetAccessControl' method of the file/folder object you are trying to change. So instead of doing this:

$MyNewACLObject = Get-ACL "C:\Temp"

Do this:

$MyNewACLObject = (Get-Item "C:\Temp").GetAccessControl('Access')

The you can pass $MyNewACLObject to Set-ACL without getting the error, here is an example:

Set-ACL "C:\New Folder" $MyNewACLObject

Cheers!

No comments:

Post a Comment