Unable to set ACL using Set-ACL when not admin on ACL protected folder - by Michael V DK

Status : 

 


5
0
Sign in
to vote
ID 789418 Comments
Status Active Workarounds
Type Suggestion Repros 0
Opened 6/3/2013 11:43:13 PM
Access Restriction Public

Description

Under a sudden condition PowerShell's Set-ACL fails when trying to set permissions on a folder on a NTFS volume.

Error:
Set-ACL : The process does not possess the 'SeSecurityPrivilege' privilege which is required for this operation.
 
At line:48 char:1
 
+ Set-ACL -path $path -AclObject $ACL
 
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
    + CategoryInfo          : PermissionDenied: (\\server\share\subfolder1:String) [Set-Acl], PrivilegeNotHeldException
 
    + FullyQualifiedErrorId : System.Security.AccessControl.PrivilegeNotHeldException,Microsoft.PowerShell.Commands.SetAclCommand


Conditions:

1) Your are not admin on the file server
2) The folder has ACL protection enabled (disabled inheritance from parent)
3) You do have full control access and ownership of the folder

Issue found using PowerShell v2 and v3

The same change kan be done with success under the same conditions using:

Windows Explorer 
FileACL.exe
CACLS.exe

The issue is that Set-ACL tries to write the whole ACL (Access + Audit + Owner). If you only try to write the Access part, then the error doesn't occur. See example in the expected results section.

It would be great if Set-ACL did the following:

Only trying to write what have been changed, so if I only changed the Access part of the ACL, then it only tries to write that back. Then the above should work.

(I guest this is the way Windows Explorer is working)

- or -

Had a parameter that lets you decide what part of ACL you would want to write.


Microsoft Support case # 113052910473011
Sign in to post a comment.