(HELP) Cannot run set-acl getting error message.

by jawhitm at 2012-12-12 02:18:01

I am trying to run the following script block and I am getting error:

Set-Acl : The security identifier is not allowed to be the owner of this object
.
At line:20 char:8
+ Set-Acl <<<< -Path D:\Folder -AclObject $acl
+ CategoryInfo : InvalidOperation: (D:\Folder:String)
[Set-Acl], InvalidOperationException
+ FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.Power
Shell.Commands.SetAclCommand


The following is additonal information:

1. I am running this script from the server I wish to set the folder permissions on. (This script is part of a bigger script)
2. The owner of the folder is System
3. The user account name has been changed to UserToAdd
4. I am an administrator on this server

I have changed the actual folder name to Folder as to well obsecure the actual name.

$ACL = Get-Acl -Path D:\Folder
#List Users/Groups with permissions
$ACL.Access | Select IdentityReference, FileSystemRights
#Remove All non-inherited Permissions
$ACL.Access | ForEach-Object {
if ($.IsInherited -eq $False)
{
$acl.RemoveAccessRule($
)
}
}

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“UserToAdd”,“ReadAndExecute”, “ContainerInherit, ObjectInherit”, “None”, “Allow”)
$ACL.AddAccessRule($rule)
Set-Acl -Path D:\Folder -AclObject $acl

Once the set-acl -path D:\folder -aclobject $acl is ran is when I get the above error message.

I have ran this script on other servers without issues. It is just this one server I am running it on and it is throwing that message. I am not sure why it is throwing that error message considering I am not trying to change the owner of the folder. I am trying to add Read And Execute permissions to a folder.

Your assistance is greatly appreciated.

Thank you.
by nohandle at 2012-12-12 02:49:51
[quote=“jawhitm”]The security identifier is not allowed to be the owner of this object[/quote]
hope this helps:
http://www.bilalaslam.com/2010/12/14/po … h-set-acl/

replace:
$ACL = Get-Acl -Path D]with this$ACL = (Get-Item "D]If not let us know.
by jawhitm at 2012-12-13 14:34:21
That fixed it. Thank you Jakub
by jawhitm at 2012-12-13 14:47:30
Actually I was wrong. Did this on another server. And same error message. This issue is not solved
by nohandle at 2012-12-13 15:07:19
still the same error message?
by jawhitm at 2012-12-13 23:37:17
Yes still the same error message.
by nohandle at 2012-12-14 01:25:10
If you examine the ACL object in the $ACL variable, is only the Access (and SDDL) property filled and the rest is empty?
Preferebly review it right before the Set command as such:
$ACL.AddAccessRule($rule)
#add this here
$ACL | fl
Set-Acl -Path D:\Folder -AclObject $acl
by jawhitm at 2012-12-20 11:33:53
Doing the $ACL | fl

The path is blank

The owner is saying it is the System Account. Even though looking at the folder the Administrators group is the owner. The Access is filled in with all of the groups and their required access. Audit is blank and Sddl is filled in. so only the path is blank and everything else is filled out
by nohandle at 2012-12-21 02:32:50
can you show me whole output? obfuscate the data if you need, I am only iterested if you get something like this:

Path :
Owner :
Group :
Access : BUILTIN\Administrators Allow FullControl
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Users Allow ReadAndExecute, Synchronize
NT AUTHORITY\Authenticated Users Allow Modify, Synchronize
Audit :
Sddl : D:AI(A;ID;FA;;;BA)(A;ID;FA;;;SY)(A;ID;0x1200a9;;;BU)(A;ID;0x1301bf;;;AU)

Where the path, owner, group, and audit are empty. That way the set-acl cmdlet tries to set only the access rules and you shouldn’t get the error.