34

I would like to change the ACL of the C: drive. What im trying to do is remove the permission that a user can create a folder directly on the drive. I tested the script on another folder while writing it. It worked without a problem. After completion i tried the script in our test envoirnment on the actual drive. I get an error that i cant figure out. If i remove the permission manualy it works without a problem. Anyone got an idea?

$path = "C:\"

$colRights = [System.Security.AccessControl.FileSystemRights]"CreateDirectories"

$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::None 
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None 

$objType =[System.Security.AccessControl.AccessControlType]::Allow 
$objUser = New-Object System.Security.Principal.NTAccount("Authenticated Users") 
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule ($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType) 

$objACL = Get-ACL $path 
$objACL.RemoveAccessRule($objACE) 

Set-ACL $path $objACL

The error is:

Set-Acl : The security identifier is not allowed to be the owner of this object.
At C:\Users\mhodler\Desktop\Remove Permission.ps1:57 char:8
+ Set-ACL <<<<  $path $objACL
    + CategoryInfo          : InvalidOperation: (C:\:String) [Set-Acl], InvalidOperationException
+ FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.SetAclCommand
Anthony Mastrean
  • 21,850
  • 21
  • 110
  • 188
UdK.cH
  • 1,055
  • 1
  • 8
  • 9
  • Found the answer. Sorry for posting it here. I dont have the permission to post an answer to my own question in the next 4hrs. Replace $objACL = Get-ACL $path With $objACL = (get-item $path).getaccesscontrol("Access") – UdK.cH Jul 08 '11 at 12:45

5 Answers5

68

I found the answer. Microsoft says

Unfortunately Get-Acl is missing some features. It always reads the full security descriptor even if you just want to modify the DACL. That’s why Set-ACL also wants to write the owner even if you have not changed it. Using the GetAccessControl method allows you to specify what part of the security descriptor you want to read.

Replace the Get-Acl call with

$acl = (Get-Item $path).GetAccessControl('Access')
Anthony Mastrean
  • 21,850
  • 21
  • 110
  • 188
UdK.cH
  • 1,055
  • 1
  • 8
  • 9
  • Can you cite the Microsoft source please? – Anthony Klotz Mar 28 '18 at 17:49
  • The earliest reference to this I could find was a Dec 14, 2010 blog that quoted Microsoft without citing the source: https://web.archive.org/web/20120107061856/http://www.bilalaslam.com/2010/12/14/powershell-workaround-for-the-security-identifier-is-not-allowed-to-be-the-owner-of-this-object-with-set-acl/ – Bill Menees May 16 '18 at 15:05
  • @AnthonyKlotz the response from MS was from a Microsoft employee "Babak Ramak" in the old TechNet Powershell Forum - https://social.technet.microsoft.com/Forums/windowsserver/en-US/870fab41-439b-4f3a-ace4-cbfe4e41f789/powershell-setacl-use-without-changing-owner?forum=winserverpowershell – Dave Black Apr 01 '20 at 18:45
8

You need the SeRestorePrivilege to set the owner. I used Lee Holmes' script from the URL below to elevate my process with this additional priv and was able to set the owner to someone other than myself.

http://www.leeholmes.com/blog/2010/09/24/adjusting-token-privileges-in-powershell/

I tried the (get-item $path).getaccesscontrol("access") method but still got the same error since my process didn't have the SeRestorePrivilege.

Nick
  • 4,302
  • 2
  • 24
  • 38
pjh
  • 81
  • 1
  • 1
  • 1
    Many thanks for this. Found via Google, and helped me solve a completely different problem. – Justus Grunow Aug 25 '15 at 22:41
  • 2
    Thank you, this was the point for me. I also discovered that a possible workaround to set the owner is to use the "local UNC" version of the path, e.g. if you want to set the owner for C:\test.txt you need to call SetAccessControl method on the item (get-item "\\localhost\C$\test.txt") – Luca Clavarino Oct 27 '15 at 18:30
  • Although this works, I prefer the selected solution about rather using (Get-Item $path).GetAccessControl('Access') to get the ACL object – bergmeister Mar 09 '18 at 09:11
1

The below code works for me:

$ApplicationPoolIdentity = "everyone"

function SetACL()
{
    param (
        [Parameter(Mandatory=$true)]
        [string]        $Path 
    )

    $Acl = (Get-Item $Path).GetAccessControl('Access')
    Write-Host "Path:" $Path "ID:" $ApplicationPoolIdentity
    $Ar = New-Object  system.security.accesscontrol.filesystemaccessrule($ApplicationPoolIdentity,"Write","Allow")
    $Acl.SetAccessRule($Ar)
    Write-Host $Acl
    $Acl | Set-Acl $Path
}

SetACL "C:\Test\"
Muath
  • 4,351
  • 12
  • 42
  • 69
Neel
  • 11
  • 1
0

People may find this easier:

icacls c:\ /remove "authenticated users"
js2010
  • 23,033
  • 6
  • 64
  • 66
-1

$Acl = (Get-Item $Path).GetAccessControl('Access')

Worked for me. I run my PS Script from CMD and in this PS Script i run another PS Script everything works fine as long as i do it with my own User. When i use different User i get the same Error: Set-Acl : The security identifier is not allowed to be the owner of this object.

Just changed Get-ACL to that Line above and it worked fine. Thanks again.

Luka
  • 1