by jawhitm at 2012-12-12 02:18:01
I am trying to run the following script block and I am getting error:by nohandle at 2012-12-12 02:49:51
Set-Acl : The security identifier is not allowed to be the owner of this object
.
At line:20 char:8
+ Set-Acl <<<< -Path D:\Folder -AclObject $acl
+ CategoryInfo : InvalidOperation: (D:\Folder:String)
[Set-Acl], InvalidOperationException
+ FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.Power
Shell.Commands.SetAclCommand
The following is additonal information:
1. I am running this script from the server I wish to set the folder permissions on. (This script is part of a bigger script)
2. The owner of the folder is System
3. The user account name has been changed to UserToAdd
4. I am an administrator on this server
I have changed the actual folder name to Folder as to well obsecure the actual name.
$ACL = Get-Acl -Path D:\Folder
#List Users/Groups with permissions
$ACL.Access | Select IdentityReference, FileSystemRights
#Remove All non-inherited Permissions
$ACL.Access | ForEach-Object {
if ($.IsInherited -eq $False)
{
$acl.RemoveAccessRule($)
}
}
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("UserToAdd","ReadAndExecute", "ContainerInherit, ObjectInherit", "None", "Allow")
$ACL.AddAccessRule($rule)
Set-Acl -Path D:\Folder -AclObject $acl
Once the set-acl -path D:\folder -aclobject $acl is ran is when I get the above error message.
I have ran this script on other servers without issues. It is just this one server I am running it on and it is throwing that message. I am not sure why it is throwing that error message considering I am not trying to change the owner of the folder. I am trying to add Read And Execute permissions to a folder.
Your assistance is greatly appreciated.
Thank you.
[quote="jawhitm"]The security identifier is not allowed to be the owner of this object[/quote]by jawhitm at 2012-12-13 14:34:21
hope this helps:
http://www.bilalaslam.com/2010/12/14/po … h-set-acl/
replace:$ACL = Get-Acl -Path D]with this$ACL = (Get-Item "D]If not let us know.
That fixed it. Thank you Jakubby jawhitm at 2012-12-13 14:47:30
Actually I was wrong. Did this on another server. And same error message. This issue is not solvedby nohandle at 2012-12-13 15:07:19
still the same error message?by jawhitm at 2012-12-13 23:37:17
Yes still the same error message.by nohandle at 2012-12-14 01:25:10
If you examine the ACL object in the $ACL variable, is only the Access (and SDDL) property filled and the rest is empty?by jawhitm at 2012-12-20 11:33:53
Preferebly review it right before the Set command as such:$ACL.AddAccessRule($rule)
#add this here
$ACL | fl
Set-Acl -Path D:\Folder -AclObject $acl
Doing the $ACL | flby nohandle at 2012-12-21 02:32:50
The path is blank
The owner is saying it is the System Account. Even though looking at the folder the Administrators group is the owner. The Access is filled in with all of the groups and their required access. Audit is blank and Sddl is filled in. so only the path is blank and everything else is filled out
can you show me whole output? obfuscate the data if you need, I am only iterested if you get something like this:
Path :
Owner :
Group :
Access : BUILTIN\Administrators Allow FullControl
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Users Allow ReadAndExecute, Synchronize
NT AUTHORITY\Authenticated Users Allow Modify, Synchronize
Audit :
Sddl : D:AI(A;ID;FA;;;BA)(A;ID;FA;;;SY)(A;ID;0x1200a9;;;BU)(A;ID;0x1301bf;;;AU)
Where the path, owner, group, and audit are empty. That way the set-acl cmdlet tries to set only the access rules and you shouldn’t get the error.