Author Posts

August 15, 2018 at 2:41 pm

I was just wondering if anyone has tried piping get-acl to set-acl without copying the owner. I tried this without success:

PS C:\users\superuser> get-acl c:\users\user1\foo.txt | select * -exclude owner | 
  set-acl c:\users\user2\foo.txt

set-acl : AclObject
At line:1 char:63
+ ... o.txt | select * -exclude owner | set-acl c:\users\user2\foo.txt
+                                       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (@{PSPath=Micros...Canonical=True}:PSObject) [Set-Acl], ArgumentException
    + FullyQualifiedErrorId : SetAcl_AclObject,Microsoft.PowerShell.Commands.SetAclCommand

August 16, 2018 at 1:48 pm

What exactly are you trying to do? The file has to have an owner. You can change or set the owner, but that is not the way to do it. Set-ACL is expecting a PSObject formatted with required information and you are removing it. I would recommend reading the help files on Set-ACL for examples and researching the internet for examples.

August 16, 2018 at 7:00 pm

I just want to change the acl, while keeping the owner the same. I was wondering what property in the acl contains the owner.

Btw, the submit button looks like it's grayed out.

August 16, 2018 at 7:13 pm

All ACL properties are not settable, you have to cherry pick the objects required to set.

August 16, 2018 at 7:25 pm

Yep. You'll want to do something like this:

$ACL = Get-Acl -Path $Path
$AccessRights = $ACL.Access

# make changes to $accessrights by adding, removing, or altering the FileSystemAccessRules

Set-Acl -Path $Path -AclObject $AccessRights

August 16, 2018 at 7:38 pm

I found this way. Joel, I got an invalid argument error. I think you mean "-aclobject $acl".

# this works

# path, owner, and group properties are null
$acl = (Get-Item c:\users\user1\foo.txt).GetAccessControl('Access')

$acl | set-acl c:\users\user2\foo.txt

I tried "$acl.owner = $null", but the property is ReadOnly. I think the input object has to be a certain type.

August 17, 2018 at 3:58 pm

While it isn't a one liner, would this work? Or does that blow up some sort of auditing for you?

# get the original owner
$originalOwner = (Get-Acl -Path .\file2.txt | Select-Object -ExpandProperty Owner) -split '\\'
$OwnerPrincipal = New-Object System.Security.Principal.NTAccount($originalOwner[0], $originalOwner[1])
# set the ACL
Get-ACL -Path .\file.txt | Set-Acl -Path .\file2.txt
# update the owner information
$acl = Get-ACL -Path .\file2.txt
$acl.SetOwner($OwnerPrincipal)
Set-ACL -Path .\file2.txt -AclObject $acl 


August 17, 2018 at 5:13 pm

What I posted works fine, but that is perfectly valid, Stephen, even as the System user.