none
AD DACL: Set-ACL Fails with This security ID may not be assigned as the owner of this object

    Question

  • Hello,

    I' ve a similar problem as http://social.technet.microsoft.com/Forums/en-US/winserverpowershell/thread/2fb86543-a6bc-4814-abb0-403816529c26 but as this thread is already answered nobody might read it.

    My script to add the attribute "Manager can update membership list" for an AD group

    import-module activedirectory
    set-location AD:
    $objUser = New-Object System.Security.Principal.NTAccount("sampledomain\user1")
    $sid = $objUser.Translate([System.Security.Principal.SecurityIdentifier])
    $acl=Get-ACL "CN=TESTGROUP,OU=group1,OU=Groups,OU=gr06,OU=xyz,OU=www,DC=sampledomain,DC=network,DC=com"
    $objectguid = new-object Guid bf9679c0-0de6-11d0-a285-00aa003049e2
    $ace1 = new-object System.DirectoryServices.ActiveDirectoryAccessRule $sid,"WriteProperty","Allow",$objectguid
    $acl.AddAccessRule($ace1)
    set-acl -aclobject $acl -Path "CN=TESTGROUP,OU=group1,OU=Groups,OU=gr06,OU=xyz,OU=www,DC=sampledomain,DC=network,DC=com"

    The command returns this error:

    Set-Acl : This security ID may not be assigned as the owner of this object
    At line:1 char:8
    + set-acl <<<<  -aclobject $acl -Path "CN=TESTGROUP,OU=group1,OU=Groups,OU=gr06,OU=xyz,OU=www,DC=sampledomain,DC
    =network,DC=com"
        + CategoryInfo          : NotSpecified: (CN=TESTGROUP...network,DC=com:String) [Set-Acl], ADException
        + FullyQualifiedErrorId : ADProvider:SetSecurityDescriptor:ADError,Microsoft.PowerShell.Commands.SetAclCommand

    It is not a permission problem, because this command works:
    dsacls CN=TESTGROUP,OU=group1,OU=Groups,OU=gr06,OU=xyz,OU=www,DC=sampledomain,DC=network,DC=com /G sampledomain\user1:WP;member;
    I tried this VBS script http://codeidol.com/active-directory/active-directory/Groups/Delegating-Control-for-Managing-Membership-of-a-Group/

    It returns: "Active Directory: A constraint violation occurred.

    Then I found the solution for the VBS. The problem is described here http://support.microsoft.com/default.aspx?scid=kb;en-us;323749

    "By default, when accessing the ntSecurityDescriptor property, the ADSI LDAP provider writes the whole security descriptor back to the object. If a non-administrative user tries to write the ownership information of a security descriptor, and the user does not own the object, the NT security system generates an error."

    I fixed the VBS from codeidol with this additional code before executing setinfo

    const ADS_OPTION_SECURITY_MASK = 3
    const ADS_SECURITY_INFO_DACL = 4
    objGroup.SetOption ADS_OPTION_SECURITY_MASK, ADS_SECURITY_INFO_DACL

    To make a long story short.

    How can I change the Powershell script to behave like described in the MS article?

    Thursday, June 21, 2012 8:52 PM

Answers

  • I found a Powershell solution which worked for me to add the "Manager can update member list" attribute.

    If you use a newly created group it needs some seconds until the SID is available.

    			$guidNull = new-object Guid 00000000-0000-0000-0000-000000000000
    			$guidWriteMembers = new-object Guid bf9679c0-0de6-11d0-a285-00aa003049e2
    			$groupSID = new-object System.Security.Principal.SecurityIdentifier "SampleGroup"
    			$objDomain = New-Object System.DirectoryServices.DirectoryEntry("LDAP://" + $ad-server + "/CN=TESTGROUP,OU=group1,OU=Groups,OU=gr06,OU=xyz,OU=www,DC=sampledomain,DC=network,DC=com")
    			$ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID,"WriteProperty","Allow",$guidWriteMembers,"None",$guidNull
    			$objDomain.ObjectSecurity.AddAccessRule($ace)
    			$objDomain.CommitChanges()

    This link was very useful to solve the problem http://www.damianflynn.com/2011/08/23/ad-delegating-control-in-powershell/
    • Marked as answer by mopp Monday, June 25, 2012 11:39 AM
    • Edited by mopp Monday, June 25, 2012 12:56 PM
    Monday, June 25, 2012 11:38 AM