发表新帖
发表新帖

Why does Set-Acl on the drive root try to set ownership of the “object”?

后端 未结
关注
5 1907
一向
一向 2020-12-07 22:45

I would like to change the ACL of the C: drive. What im trying to do is remove the permission that a user can create a folder directly on the drive. I tested th

相关标签:
5条回答
  • 一个人的身影
    2020-12-07 23:20

    People may find this easier:

    icacls c:\ /remove "authenticated users"
    0 讨论(0)
  • 情话喂你
    2020-12-07 23:21

    The below code works for me:

    $ApplicationPoolIdentity = "everyone"

function SetACL()
{
    param (
        [Parameter(Mandatory=$true)]
        [string]        $Path 
    )

    $Acl = (Get-Item $Path).GetAccessControl('Access')
    Write-Host "Path:" $Path "ID:" $ApplicationPoolIdentity
    $Ar = New-Object  system.security.accesscontrol.filesystemaccessrule($ApplicationPoolIdentity,"Write","Allow")
    $Acl.SetAccessRule($Ar)
    Write-Host $Acl
    $Acl | Set-Acl $Path
}

SetACL "C:\Test\"
    0 讨论(0)
  • 北海茫月
    2020-12-07 23:26

    You need the SeRestorePrivilege to set the owner. I used Lee Holmes' script from the URL below to elevate my process with this additional priv and was able to set the owner to someone other than myself.

    http://www.leeholmes.com/blog/2010/09/24/adjusting-token-privileges-in-powershell/

    I tried the (get-item $path).getaccesscontrol("access") method but still got the same error since my process didn't have the SeRestorePrivilege.

    0 讨论(0)
  • 暗喜
    2020-12-07 23:31

    I found the answer. Microsoft says

    Unfortunately Get-Acl is missing some features. It always reads the full security descriptor even if you just want to modify the DACL. That’s why Set-ACL also wants to write the owner even if you have not changed it. Using the GetAccessControl method allows you to specify what part of the security descriptor you want to read.

    Replace the Get-Acl call with

    $acl = (Get-Item $path).GetAccessControl('Access')
    0 讨论(0)
  • 刺人心
    2020-12-07 23:31

    $Acl = (Get-Item $Path).GetAccessControl('Access')

    Worked for me. I run my PS Script from CMD and in this PS Script i run another PS Script everything works fine as long as i do it with my own User. When i use different User i get the same Error: Set-Acl : The security identifier is not allowed to be the owner of this object.

    Just changed Get-ACL to that Line above and it worked fine. Thanks again.

    0 讨论(0)
 看不清?
提交回复
热议问题