Set-Acl cannot change filesystem/registry ACL if current user or one of his group hasn't TakeOwnership permission
Votes from Connect: 20
Original Date Submitted: 2/27/2009 5:16:35 PM
Site Name: PowerShell
Feedback ID: 418906
Frequency: Always Happens
Regression: Yes, this happens in previous released versions
For example, we have a folder and Administrator or Administrators group is object owner and doesn't have explicit (or inherited from parent) ACE with TakeOwnership right. Running code (see reprodiction steps) we get an error.
Product Studio item created by Connect Synchronizer due to creation of feedback ID 418906 (http://connect.microsoft.com/feedback/ViewFeedback.aspx?SiteID=99&FeedbackID=418906).
here is code that adds Everyone group to existing ACL:
$acl = Get-Acl C:\test
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("everyone", "FullControl", "Allow")
$acl | Set-Acl C:\test
while current user has TakeOwnership right - all works as expected. However if we remove this right for current user we get error:
Set-Acl : Attempted to perform an unauthorized operation.
At line:1 char:15
+ $acl | Set-Acl <<<< C:\test
+ CategoryInfo : PermissionDenied: (C:\test:String) [Set-Acl], UnauthorizedAccessException
+ FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.SetAclCommand
here is no neccessary to have TakeOwnership right if user is objects owner.
Internal BugId: 1949