AD DACL: Set-ACL Fails with This security ID may not be assigned as the owner of this object
-
Thursday, June 21, 2012 8:52 PM
Hello,
I' ve a similar problem as http://social.technet.microsoft.com/Forums/en-US/winserverpowershell/thread/2fb86543-a6bc-4814-abb0-403816529c26 but as this thread is already answered nobody might read it.
My script to add the attribute "Manager can update membership list" for an AD group
import-module activedirectory set-location AD: $objUser = New-Object System.Security.Principal.NTAccount("sampledomain\user1") $sid = $objUser.Translate([System.Security.Principal.SecurityIdentifier]) $acl=Get-ACL "CN=TESTGROUP,OU=group1,OU=Groups,OU=gr06,OU=xyz,OU=www,DC=sampledomain,DC=network,DC=com" $objectguid = new-object Guid bf9679c0-0de6-11d0-a285-00aa003049e2 $ace1 = new-object System.DirectoryServices.ActiveDirectoryAccessRule $sid,"WriteProperty","Allow",$objectguid $acl.AddAccessRule($ace1) set-acl -aclobject $acl -Path "CN=TESTGROUP,OU=group1,OU=Groups,OU=gr06,OU=xyz,OU=www,DC=sampledomain,DC=network,DC=com"The command returns this error:
Set-Acl : This security ID may not be assigned as the owner of this object
At line:1 char:8
+ set-acl <<<< -aclobject $acl -Path "CN=TESTGROUP,OU=group1,OU=Groups,OU=gr06,OU=xyz,OU=www,DC=sampledomain,DC
=network,DC=com"
+ CategoryInfo : NotSpecified: (CN=TESTGROUP...network,DC=com:String) [Set-Acl], ADException
+ FullyQualifiedErrorId : ADProvider:SetSecurityDescriptor:ADError,Microsoft.PowerShell.Commands.SetAclCommandIt is not a permission problem, because this command works:
dsacls CN=TESTGROUP,OU=group1,OU=Groups,OU=gr06,OU=xyz,OU=www,DC=sampledomain,DC=network,DC=com /G sampledomain\user1:WP;member;
I tried this VBS script http://codeidol.com/active-directory/active-directory/Groups/Delegating-Control-for-Managing-Membership-of-a-Group/It returns: "Active Directory: A constraint violation occurred.
Then I found the solution for the VBS. The problem is described here http://support.microsoft.com/default.aspx?scid=kb;en-us;323749
"By default, when accessing the ntSecurityDescriptor property, the ADSI LDAP provider writes the whole security descriptor back to the object. If a non-administrative user tries to write the ownership information of a security descriptor, and the user does not own the object, the NT security system generates an error."
I fixed the VBS from codeidol with this additional code before executing setinfo
const ADS_OPTION_SECURITY_MASK = 3 const ADS_SECURITY_INFO_DACL = 4 objGroup.SetOption ADS_OPTION_SECURITY_MASK, ADS_SECURITY_INFO_DACL
To make a long story short.
How can I change the Powershell script to behave like described in the MS article?
All Replies
-
Monday, June 25, 2012 11:38 AM
I found a Powershell solution which worked for me to add the "Manager can update member list" attribute.
If you use a newly created group it needs some seconds until the SID is available.
$guidNull = new-object Guid 00000000-0000-0000-0000-000000000000 $guidWriteMembers = new-object Guid bf9679c0-0de6-11d0-a285-00aa003049e2 $groupSID = new-object System.Security.Principal.SecurityIdentifier "SampleGroup" $objDomain = New-Object System.DirectoryServices.DirectoryEntry("LDAP://" + $ad-server + "/CN=TESTGROUP,OU=group1,OU=Groups,OU=gr06,OU=xyz,OU=www,DC=sampledomain,DC=network,DC=com") $ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID,"WriteProperty","Allow",$guidWriteMembers,"None",$guidNull $objDomain.ObjectSecurity.AddAccessRule($ace) $objDomain.CommitChanges()
This link was very useful to solve the problem http://www.damianflynn.com/2011/08/23/ad-delegating-control-in-powershell/
.png)
