AD DACL: Set-ACL Fails with This security ID may not be assigned as the owner of this object


  • Hello,

    I' ve a similar problem as but as this thread is already answered nobody might read it.

    My script to add the attribute "Manager can update membership list" for an AD group

    import-module activedirectory
    set-location AD:
    $objUser = New-Object System.Security.Principal.NTAccount("sampledomain\user1")
    $sid = $objUser.Translate([System.Security.Principal.SecurityIdentifier])
    $acl=Get-ACL "CN=TESTGROUP,OU=group1,OU=Groups,OU=gr06,OU=xyz,OU=www,DC=sampledomain,DC=network,DC=com"
    $objectguid = new-object Guid bf9679c0-0de6-11d0-a285-00aa003049e2
    $ace1 = new-object System.DirectoryServices.ActiveDirectoryAccessRule $sid,"WriteProperty","Allow",$objectguid
    set-acl -aclobject $acl -Path "CN=TESTGROUP,OU=group1,OU=Groups,OU=gr06,OU=xyz,OU=www,DC=sampledomain,DC=network,DC=com"

    The command returns this error:

    Set-Acl : This security ID may not be assigned as the owner of this object
    At line:1 char:8
    + set-acl <<<<  -aclobject $acl -Path "CN=TESTGROUP,OU=group1,OU=Groups,OU=gr06,OU=xyz,OU=www,DC=sampledomain,DC
        + CategoryInfo          : NotSpecified: (,DC=com:String) [Set-Acl], ADException
        + FullyQualifiedErrorId : ADProvider:SetSecurityDescriptor:ADError,Microsoft.PowerShell.Commands.SetAclCommand

    It is not a permission problem, because this command works:
    dsacls CN=TESTGROUP,OU=group1,OU=Groups,OU=gr06,OU=xyz,OU=www,DC=sampledomain,DC=network,DC=com /G sampledomain\user1:WP;member;
    I tried this VBS script

    It returns: "Active Directory: A constraint violation occurred.

    Then I found the solution for the VBS. The problem is described here;en-us;323749

    "By default, when accessing the ntSecurityDescriptor property, the ADSI LDAP provider writes the whole security descriptor back to the object. If a non-administrative user tries to write the ownership information of a security descriptor, and the user does not own the object, the NT security system generates an error."

    I fixed the VBS from codeidol with this additional code before executing setinfo


    To make a long story short.

    How can I change the Powershell script to behave like described in the MS article?

    Thursday, June 21, 2012 8:52 PM


  • I found a Powershell solution which worked for me to add the "Manager can update member list" attribute.

    If you use a newly created group it needs some seconds until the SID is available.

    			$guidNull = new-object Guid 00000000-0000-0000-0000-000000000000
    			$guidWriteMembers = new-object Guid bf9679c0-0de6-11d0-a285-00aa003049e2
    			$groupSID = new-object System.Security.Principal.SecurityIdentifier "SampleGroup"
    			$objDomain = New-Object System.DirectoryServices.DirectoryEntry("LDAP://" + $ad-server + "/CN=TESTGROUP,OU=group1,OU=Groups,OU=gr06,OU=xyz,OU=www,DC=sampledomain,DC=network,DC=com")
    			$ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID,"WriteProperty","Allow",$guidWriteMembers,"None",$guidNull

    This link was very useful to solve the problem
    • Marked as answer by mopp Monday, June 25, 2012 11:39 AM
    • Edited by mopp Monday, June 25, 2012 12:56 PM
    Monday, June 25, 2012 11:38 AM