|
|
Hi,
I'm trying to change the owner of multiple directories and also change permissions. I am able to successfully change the permissions by getting the acl on the dir/file, creating a file system access rule, adding the rule and
then setting the acl. For setting the owner, I get-acl on the filename, create an NTAccount, translate into security identifier to make sure the account is valid, then I use SetOwner on the acl, and invoke set-acl which fails with the following error: "Set-Acl
: The security identifier is not allowed to be the owner of this object". Here is an example of my code for setting the owner:
$acl = Get-Acl -path $fileName
$account = New-Object System.Security.Principal.NTAccount("DomainExample",$userName)
$accountSid = $account.Translate([System.Security.Principal.SecurityIdentifier])
$acl.SetOwner($account) // this works ok and sets the owner in memory I
suppose Set-Acl -path $fileName -aclObject $acl // this fails with the error
mentioned above
I am running the PowerShell terminal as a user who has permissions to give
ownership. Also if I use the Windows GUI, it works fine. Any ideas/help will
be greatly appreciated.
|
|
Developer
May 28, 2010 at 4:26 PM
|
I believe you'll have to enable the SeBackupPrivilege first before you can set the owner of a file to be someone other than yourself. With an elevated shell:
PS C:\Windows\system32> ipmo pscx
PS C:\Windows\system32> $p = get-privilege
PS C:\Windows\system32> $p.Enable("sebackupprivilege")
PS C:\Windows\system32> Set-Privilege $p
PS C:\Windows\system32> get-privilege
Name Status
---- ------
SeIncreaseQuotaPrivilege Disabled
SeMachineAccountPrivilege Disabled
SeSecurityPrivilege Disabled
SeTakeOwnershipPrivilege Disabled
SeLoadDriverPrivilege Disabled
SeSystemProfilePrivilege Disabled
SeSystemtimePrivilege Disabled
SeProfileSingleProcessPrivilege Disabled
SeIncreaseBasePriorityPrivilege Disabled
SeCreatePagefilePrivilege Disabled
SeBackupPrivilege Enabled <<<<<<
SeRestorePrivilege Disabled
This should give you the neccessary rights to set the owner. The reason you need backup rights is because you are subverting the auditing; normally you can only give someone the right to _take_ ownership back.
-Oisin
On Fri, May 28, 2010 at 5:39 AM, djvantob <notifications@codeplex.com> wrote:
From: djvantob
Hi,
I'm trying to change the owner of multiple directories and also change permissions. I am able to successfully change the permissions by getting the acl on the dir/file, creating a file system access rule, adding the rule and
then setting the acl. For setting the owner, I get-acl on the filename, create an NTAccount, translate into security identifier to make sure the account is valid, then I use SetOwner on the acl, and invoke set-acl which fails with the following error: "Set-Acl
: The security identifier is not allowed to be the owner of this object". Here is an example of my code for setting the owner:
$acl = Get-Acl -path $fileName
$account = New-Object System.Security.Principal.NTAccount("DomainExample",$userName)
$accountSid = $account.Translate([System.Security.Principal.SecurityIdentifier])
$acl.SetOwner($account) // this works ok and sets the owner in memory I
suppose Set-Acl -path $fileName -aclObject $acl // this fails with the error
mentioned above
I am running the PowerShell terminal as a user who has permissions to give
ownership. Also if I use the Windows GUI, it works fine. Any ideas/help will
be greatly appreciated.
--
---
404 signature missing
|
|