Why does Set-Acl on the drive root try to set ownership of the "object"?
I found the answer. Microsoft says
Unfortunately
Get-Acl
is missing some features. It always reads the full security descriptor even if you just want to modify the DACL. That’s whySet-ACL
also wants to write the owner even if you have not changed it. Using theGetAccessControl
method allows you to specify what part of the security descriptor you want to read.
Replace the Get-Acl
call with
$acl = (Get-Item $path).GetAccessControl('Access')
You need the SeRestorePrivilege
to set the owner. I used Lee Holmes' script from the URL below to elevate my process with this additional priv and was able to set the owner to someone other than myself.
http://www.leeholmes.com/blog/2010/09/24/adjusting-token-privileges-in-powershell/
I tried the (get-item $path).getaccesscontrol("access")
method but still got the same error since my process didn't have the SeRestorePrivilege
.
The below code works for me:
$ApplicationPoolIdentity = "everyone"function SetACL(){ param ( [Parameter(Mandatory=$true)] [string] $Path ) $Acl = (Get-Item $Path).GetAccessControl('Access') Write-Host "Path:" $Path "ID:" $ApplicationPoolIdentity $Ar = New-Object system.security.accesscontrol.filesystemaccessrule($ApplicationPoolIdentity,"Write","Allow") $Acl.SetAccessRule($Ar) Write-Host $Acl $Acl | Set-Acl $Path}SetACL "C:\Test\"