Unable to set ACL using Set-ACL when not admin on ACL protected folder
Michael V DK
6/3/2013 11:43:13 PM
Under a sudden condition PowerShell's Set-ACL fails when trying to set permissions on a folder on a NTFS volume.
Set-ACL : The process does not possess the 'SeSecurityPrivilege' privilege which is required for this operation.
At line:48 char:1
+ Set-ACL -path $path -AclObject $ACL
+ CategoryInfo : PermissionDenied: (\\server\share\subfolder1:String) [Set-Acl], PrivilegeNotHeldException
+ FullyQualifiedErrorId : System.Security.AccessControl.PrivilegeNotHeldException,Microsoft.PowerShell.Commands.SetAclCommand
1) Your are not admin on the file server
2) The folder has ACL protection enabled (disabled inheritance from parent)
3) You do have full control access and ownership of the folder
Issue found using PowerShell v2 and v3
The same change kan be done with success under the same conditions using:
The issue is that Set-ACL tries to write the whole ACL (Access + Audit + Owner). If you only try to write the Access part, then the error doesn't occur. See example in the expected results section.
It would be great if Set-ACL did the following:
Only trying to write what have been changed, so if I only changed the Access part of the ACL, then it only tries to write that back. Then the above should work.
(I guest this is the way Windows Explorer is working)
- or -
Had a parameter that lets you decide what part of ACL you would want to write.
Microsoft Support case # 113052910473011