SetOwner on an acl not working

A

Angelina

Hi,
I'm trying to change the owner of multiple directories and also change
permissions. I am able to successfully change the permissions by getting the
acl on the dir/file, creating a file system access rule, adding the rule and
then setting the acl.
For setting the owner, I get-acl on the filename, create an NTAccount,
translate into security identifier to make sure the account is valid, then I
use SetOwner on the acl, and invoke set-acl which fails with the following
error: "Set-Acl : The security identifier is not allowed to be the owner of
this object".
Here is an example of my code for setting the owner:
$acl = Get-Acl -path $fileName
$account = New-Object
System.Security.Principal.NTAccount("DomainExample",$userName)
$accountSid =
$account.Translate([System.Security.Principal.SecurityIdentifier])
$acl.SetOwner($account) // this works ok and sets the owner in memory I
suppose
Set-Acl -path $fileName -aclObject $acl // this fails with the error
mentioned above

I am running the PowerShell terminal as a user who has permissions to give
ownership. Also if I use the Windows GUI, it works fine. Any ideas/help will
be greatly appreciated.
I'm running Windows Server 2003, .NET 2.0.
Thank you,
Angelina
 
R

RichS

Am I missing something here. I thought you couldn't grant ownership on NTFS
objects directly but that you had to grant the Take Ownership permission to a
user who could then use that to take ownership themselves
--
Richard Siddaway
Please note that all scripts are supplied "as is" and with no warranty
Blog: http://richardsiddaway.spaces.live.com/
PowerShell User Group: http://www.get-psuguk.org.uk


"Angelina" wrote:

> Hi,
> I'm trying to change the owner of multiple directories and also change
> permissions. I am able to successfully change the permissions by getting the
> acl on the dir/file, creating a file system access rule, adding the rule and
> then setting the acl.
> For setting the owner, I get-acl on the filename, create an NTAccount,
> translate into security identifier to make sure the account is valid, then I
> use SetOwner on the acl, and invoke set-acl which fails with the following
> error: "Set-Acl : The security identifier is not allowed to be the owner of
> this object".
> Here is an example of my code for setting the owner:
> $acl = Get-Acl -path $fileName
> $account = New-Object
> System.Security.Principal.NTAccount("DomainExample",$userName)
> $accountSid =
> $account.Translate([System.Security.Principal.SecurityIdentifier])
> $acl.SetOwner($account) // this works ok and sets the owner in memory I
> suppose
> Set-Acl -path $fileName -aclObject $acl // this fails with the error
> mentioned above
>
> I am running the PowerShell terminal as a user who has permissions to give
> ownership. Also if I use the Windows GUI, it works fine. Any ideas/help will
> be greatly appreciated.
> I'm running Windows Server 2003, .NET 2.0.
> Thank you,
> Angelina
>
 
O

Oisin Grehan

On Aug 13, 3:12 pm, Angelina <[email protected]>
wrote:
> Hi,
> I'm trying to change the owner of multiple directories and also change
> permissions. I am able to successfully change the permissions by getting the
> acl on the dir/file, creating a file system access rule, adding the rule and
> then setting the acl.
> For setting the owner, I get-acl on the filename, create an NTAccount,
> translate into security identifier to make sure the account is valid, then I
> use SetOwner on the acl, and invoke set-acl which fails with the following
> error: "Set-Acl : The security identifier is not allowed to be the owner of
> this object".
> Here is an example of my code for setting the owner:
> $acl = Get-Acl -path $fileName
> $account = New-Object
> System.Security.Principal.NTAccount("DomainExample",$userName)
> $accountSid =
> $account.Translate([System.Security.Principal.SecurityIdentifier])
> $acl.SetOwner($account) // this works ok and sets the owner in memory I
> suppose
> Set-Acl -path $fileName -aclObject $acl // this fails with the error
> mentioned above
>
> I am running the PowerShell terminal as a user who has permissions to give
> ownership. Also if I use the Windows GUI, it works fine. Any ideas/help will
> be greatly appreciated.
> I'm running Windows Server 2003, .NET 2.0.
> Thank you,
> Angelina


Hi Angelia,

One of the security constraints of NTFS/NT is that you are only
allowed to set the owner of a file to yourself (e.g. "take ownership")
or to the "Administrators" group. However, there is a "side entrance"
whereby you can assign any arbitrary user as the owner, even if
they're not an administrator. This is a privilege that is *granted* to
administrators and backup operators, but NOT *enabled* by default. So,
how do you enable this? Unfortunately there is no native .NET way to
do this (and by extension, no out of the box way to do it in
PowerShell either), but you can use some cmdlets we have in the
PowerShell Community Extensions project to enable this privilege. So,
what next?

First of all, go grab PSCX 1.1.1 from http://www.codeplex.com/PowerShellCX
and install it.

Next, you new up one of our wrapper classes for TokenPrivilege:

PS > $SeRestore = new-object Pscx.Interop.TokenPrivilege
"SeRestorePrivilege", $true # enable it

Then, grant it to the current process's token (powershell.exe):

PS > Set-Privilege $SeRestore

....and that's it. Your previous code should now work by allowing you
to set any user as the owner of a file or directory. You can use Get-
Privilege to see your current rights at any time.

Admittedly, this is a few hoops to jump through, and with this in
mind, we'll probably add dedicated Get-Owner and Set-Owner cmdlets to
PSCX 1.2 for this purpose. In fact, I wrote some for MoW which he has
been testing out, and these will get checked into the current trunk
sometime in the near future.

Hope this helps,

- Oisin
 
A

Angelina

Hi Richard,
I did read exactly what you are saying. I guess what I'm curious about is
how come this works if I do it using the Windows GUI for changing
permissions/owners/security? Also, I can do it using a VBScript and xcacls.
Shouldn't there be a way to do the exact same thing through PowerShell?
Thank you,
Angelina

"RichS" wrote:

> Am I missing something here. I thought you couldn't grant ownership on NTFS
> objects directly but that you had to grant the Take Ownership permission to a
> user who could then use that to take ownership themselves
> --
> Richard Siddaway
> Please note that all scripts are supplied "as is" and with no warranty
> Blog: http://richardsiddaway.spaces.live.com/
> PowerShell User Group: http://www.get-psuguk.org.uk
>
>
> "Angelina" wrote:
>
> > Hi,
> > I'm trying to change the owner of multiple directories and also change
> > permissions. I am able to successfully change the permissions by getting the
> > acl on the dir/file, creating a file system access rule, adding the rule and
> > then setting the acl.
> > For setting the owner, I get-acl on the filename, create an NTAccount,
> > translate into security identifier to make sure the account is valid, then I
> > use SetOwner on the acl, and invoke set-acl which fails with the following
> > error: "Set-Acl : The security identifier is not allowed to be the owner of
> > this object".
> > Here is an example of my code for setting the owner:
> > $acl = Get-Acl -path $fileName
> > $account = New-Object
> > System.Security.Principal.NTAccount("DomainExample",$userName)
> > $accountSid =
> > $account.Translate([System.Security.Principal.SecurityIdentifier])
> > $acl.SetOwner($account) // this works ok and sets the owner in memory I
> > suppose
> > Set-Acl -path $fileName -aclObject $acl // this fails with the error
> > mentioned above
> >
> > I am running the PowerShell terminal as a user who has permissions to give
> > ownership. Also if I use the Windows GUI, it works fine. Any ideas/help will
> > be greatly appreciated.
> > I'm running Windows Server 2003, .NET 2.0.
> > Thank you,
> > Angelina
> >
 
A

Angelina

Oh great!
Thank you Oisin, will check it out :)
Regards,
Angelina

"Oisin Grehan" wrote:

> On Aug 13, 3:12 pm, Angelina <[email protected]>
> wrote:
> > Hi,
> > I'm trying to change the owner of multiple directories and also change
> > permissions. I am able to successfully change the permissions by getting the
> > acl on the dir/file, creating a file system access rule, adding the rule and
> > then setting the acl.
> > For setting the owner, I get-acl on the filename, create an NTAccount,
> > translate into security identifier to make sure the account is valid, then I
> > use SetOwner on the acl, and invoke set-acl which fails with the following
> > error: "Set-Acl : The security identifier is not allowed to be the owner of
> > this object".
> > Here is an example of my code for setting the owner:
> > $acl = Get-Acl -path $fileName
> > $account = New-Object
> > System.Security.Principal.NTAccount("DomainExample",$userName)
> > $accountSid =
> > $account.Translate([System.Security.Principal.SecurityIdentifier])
> > $acl.SetOwner($account) // this works ok and sets the owner in memory I
> > suppose
> > Set-Acl -path $fileName -aclObject $acl // this fails with the error
> > mentioned above
> >
> > I am running the PowerShell terminal as a user who has permissions to give
> > ownership. Also if I use the Windows GUI, it works fine. Any ideas/help will
> > be greatly appreciated.
> > I'm running Windows Server 2003, .NET 2.0.
> > Thank you,
> > Angelina

>
> Hi Angelia,
>
> One of the security constraints of NTFS/NT is that you are only
> allowed to set the owner of a file to yourself (e.g. "take ownership")
> or to the "Administrators" group. However, there is a "side entrance"
> whereby you can assign any arbitrary user as the owner, even if
> they're not an administrator. This is a privilege that is *granted* to
> administrators and backup operators, but NOT *enabled* by default. So,
> how do you enable this? Unfortunately there is no native .NET way to
> do this (and by extension, no out of the box way to do it in
> PowerShell either), but you can use some cmdlets we have in the
> PowerShell Community Extensions project to enable this privilege. So,
> what next?
>
> First of all, go grab PSCX 1.1.1 from http://www.codeplex.com/PowerShellCX
> and install it.
>
> Next, you new up one of our wrapper classes for TokenPrivilege:
>
> PS > $SeRestore = new-object Pscx.Interop.TokenPrivilege
> "SeRestorePrivilege", $true # enable it
>
> Then, grant it to the current process's token (powershell.exe):
>
> PS > Set-Privilege $SeRestore
>
> ....and that's it. Your previous code should now work by allowing you
> to set any user as the owner of a file or directory. You can use Get-
> Privilege to see your current rights at any time.
>
> Admittedly, this is a few hoops to jump through, and with this in
> mind, we'll probably add dedicated Get-Owner and Set-Owner cmdlets to
> PSCX 1.2 for this purpose. In fact, I wrote some for MoW which he has
> been testing out, and these will get checked into the current trunk
> sometime in the near future.
>
> Hope this helps,
>
> - Oisin
>
>
>
>
>
>
>
 
Top