Home Dashboard Directory Help
Search

Unable to set ACL using Set-ACL when not admin on ACL protected folder by Michael V DK


Status: 

Active


2
0
Sign in
to vote
Type: Suggestion
ID: 789418
Opened: 6/3/2013 11:43:13 PM
Access Restriction: Public
0
Workaround(s)
view

Description

Under a sudden condition PowerShell's Set-ACL fails when trying to set permissions on a folder on a NTFS volume.

Error:
Set-ACL : The process does not possess the 'SeSecurityPrivilege' privilege which is required for this operation.

At line:48 char:1

+ Set-ACL -path $path -AclObject $ACL

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo         : PermissionDenied: (\\server\share\subfolder1:String) [Set-Acl], PrivilegeNotHeldException

    + FullyQualifiedErrorId : System.Security.AccessControl.PrivilegeNotHeldException,Microsoft.PowerShell.Commands.SetAclCommand


Conditions:

1) Your are not admin on the file server
2) The folder has ACL protection enabled (disabled inheritance from parent)
3) You do have full control access and ownership of the folder

Issue found using PowerShell v2 and v3

The same change kan be done with success under the same conditions using:

Windows Explorer
FileACL.exe
CACLS.exe

The issue is that Set-ACL tries to write the whole ACL (Access + Audit + Owner). If you only try to write the Access part, then the error doesn't occur. See example in the expected results section.

It would be great if Set-ACL did the following:

Only trying to write what have been changed, so if I only changed the Access part of the ACL, then it only tries to write that back. Then the above should work.

(I guest this is the way Windows Explorer is working)

- or -

Had a parameter that lets you decide what part of ACL you would want to write.


Microsoft Support case # 113052910473011
Details
Sign in to post a comment.
Sign in to post a workaround.