Home Dashboard Directory Help
Search

Object owner can't use Set-Acl to change permissions on an object they denied access to by Andrew Savinykh


Status: 

Active


6
0
Sign in
to vote
Type: Bug
ID: 583905
Opened: 8/6/2010 3:49:17 AM
Access Restriction: Public
4
Workaround(s)
view
4
User(s) can reproduce this bug

Description

Normally if person owns an object, even if they don't have permissions for the object they can change the permissions.

Set-Acl cmdlet seems to contain a bug that causes failure if owner of an object trying to change permissions on the object while they don't have rights to the object.
Details
Sign in to post a comment.
Posted by doraz on 6/2/2011 at 2:06 PM
I've got the same problem, but it seems to happen only when I run Powershell in admin mode, otherwise it does NOT give any error and it works correctly!
Sign in to post a workaround.
Posted by Bastien B on 11/4/2013 at 8:29 AM
I had the same on Active Directory objects / Windows 2012
I found a way to make it work in this thread : http://social.technet.microsoft.com/Forums/fr-FR/2fb86543-a6bc-4814-abb0-403816529c26/active-diretory-permissions-fail-with-setacl?forum=winserverpowershell

$ADSI = [ADSI]"LDAP://$Path"
...
$ADSI.psbase.ObjectSecurity.SetAccessRule($ACE)
$ADSI.psbase.commitchanges()

I have not tested with DirectoryEntry objects
Posted by bugzapper on 2/10/2012 at 12:31 PM
This worked for me on Windows 8 pre-beta builds. I haven't tried other OSes, but don't expect issues.

Replace "Set-Acl -AclObject $acl -Path $Path" in the PoweShell script with one of the following (first is for folders, 2nd is for files):

[System.IO.Directory]::SetAccessControl($Path, $acl)

[System.IO.File]::SetAccessControl($Path, $acl)
Posted by Craig S Williams on 8/15/2011 at 12:57 PM
Can you give an example of the method call you're using?
Posted by Andrew Savinykh on 8/6/2010 at 3:53 AM
Using .net api for changing acl directly instead of using set-acl allows to workaround this issue.