'Powershell: Workaround for “The security identifier is not allowed to be the

I was writing a Powershell script which gave a user full control on a folder. Strangely, this script was failing:

<div><span style="color: #800080;">$username</span><span style="color: #000000;"> </span><span style="color: #000000;">=</span><span style="color: #000000;"> </span><span style="color: #800000;">"</span><span style="color: #800000;">my_nonadmin_user</span><span style="color: #800000;">"</span><span style="color: #000000;">
</span><span style="color: #800080;">$path</span><span style="color: #000000;"> </span><span style="color: #000000;">=</span><span style="color: #000000;"> </span><span style="color: #800000;">"</span><span style="color: #800000;">c:inetpubwwwroot</span><span style="color: #800000;">"</span><span style="color: #000000;">
</span><span style="color: #800080;">$acl</span><span style="color: #000000;"> </span><span style="color: #000000;">=</span><span style="color: #000000;"> Get</span><span style="color: #000000;">-</span><span style="color: #000000;">Acl </span><span style="color: #800080;">$path</span><span style="color: #000000;">
</span><span style="color: #800080;">$accessrule</span><span style="color: #000000;"> </span><span style="color: #000000;">=</span><span style="color: #000000;"> New</span><span style="color: #000000;">-</span><span style="color: #000000;">Object system.security.AccessControl.FileSystemAccessRule(</span><span style="color: #800080;">$username</span><span style="color: #000000;">, </span><span style="color: #800000;">"</span><span style="color: #800000;">FullControl</span><span style="color: #800000;">"</span><span style="color: #000000;">, </span><span style="color: #800000;">"</span><span style="color: #800000;">ContainerInherit,ObjectInherit</span><span style="color: #800000;">"</span><span style="color: #000000;">, </span><span style="color: #800000;">"</span><span style="color: #800000;">None</span><span style="color: #800000;">"</span><span style="color: #000000;">, </span><span style="color: #800000;">"</span><span style="color: #800000;">Allow</span><span style="color: #800000;">"</span><span style="color: #000000;">)
</span><span style="color: #800080;">$acl</span><span style="color: #000000;">.AddAccessRule(</span><span style="color: #800080;">$accessrule</span><span style="color: #000000;">)
set</span><span style="color: #000000;">-</span><span style="color: #000000;">acl </span><span style="color: #000000;">-</span><span style="color: #000000;">aclobject </span><span style="color: #800080;">$acl</span><span style="color: #000000;"> </span><span style="color: #800080;">$path</span><span style="color: #000000;">
</span></div>

I was getting this error:

Set-Acl : The security identifier is not allowed to be the owner of this object.

The strange thing is that I wasn’t trying to change the folder’s ownership – very frustrating! This explanation from Microsoft made things clear:

“Unfortunately Get-ACL is missing some features. It always reads the full security descriptor even if you just want to modify the DACL. That’s why Set-ACL also wants to write the owner even if you have not changed it. Using the GetAccessControl method allows you to specify what part of the security descriptor you want to read”

Just remove the 3rd line which starts with $acl, and replace it with:

<div><span style="color: #800080;">$acl</span><span style="color: #000000;"> </span><span style="color: #000000;">=</span><span style="color: #000000;"> (Get</span><span style="color: #000000;">-</span><span style="color: #000000;">Item </span><span style="color: #800080;">$path</span><span style="color: #000000;">).GetAccessControl(</span><span style="color: #800000;">"</span><span style="color: #800000;">Access</span><span style="color: #800000;">"</span><span style="color: #000000;">)</span></div>

Voila!