Any of the permission in the list below is enough to allow an user to use Set-ACL?

Igor Godinho 100 Reputation points
2024-01-08T14:07:00.6033333+00:00

https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectoryrights?view=dotnet-plat-ext-7.0

AccessSystemSecurity 16777216 The right to get or set the SACL in the object security descriptor.
CreateChild 1 The right to create children of the object.
Delete 65536 The right to delete the object.
DeleteChild 2 The right to delete children of the object.
DeleteTree 64 The right to delete all children of this object, regardless of the permissions of the children.
ExtendedRight 256 A customized control access right. For a list of possible extended rights, see the Extended Rights article. For more information about extended rights, see the Control Access Rights article.
GenericAll 983551 The right to create or delete children, delete a subtree, read and write properties, examine children and the object itself, add and remove the object from the directory, and read or write with an extended right.
GenericExecute 131076 The right to read permissions on, and list the contents of, a container object.
GenericRead 131220 The right to read permissions on this object, read all the properties on this object, list this object name when the parent container is listed, and list the contents of this object if it is a container.
GenericWrite 131112 The right to read permissions on this object, write all the properties on this object, and perform all validated writes to this object.
ListChildren 4 The right to list children of this object. For more information about this right, see the Controlling Object Visibility article.
ListObject 128 The right to list a particular object. For more information about this right, see the Controlling Object Visibility article.
ReadControl 131072 The right to read data from the security descriptor of the object, not including the data in the SACL.
ReadProperty 16 The right to read properties of the object.
Self 8 The right to perform an operation that is controlled by a validated write access right.
Synchronize 1048576 The right to use the object for synchronization. This right enables a thread to wait until that object is in the signaled state.
WriteDacl 262144 The right to modify the DACL in the object security descriptor.
WriteOwner 524288 The right to assume ownership of the object. The user must be an object trustee. The user cannot transfer the ownership to other users.
WriteProperty 32 The right to write properties of the object.

I know the user must be file owner or member of the administrators to run Set-Acl. How can I make the user a file owner? To use set-ACL in an OU I would need the user to be file owner of this OU?

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
0 comments No comments
{count} votes

Accepted answer
  1. Anonymous
    2024-01-09T08:28:27.2966667+00:00

    Hi Igor Godinho,

    Thank you for posting on the Q&A forum.

    You need to be the file owner or the local administrator to run the Set-Acl cmdlet to set the permissions you list above on a file. To make a user the file owner, you can still use the Set-Acl cmdlet or run takeown.exe. You need to be the local administrator to do that.

    https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/takeown

    If you want to set the permissions on an OU with Set-Acl, you need to be the domain administrator.

    Best Regards,

    Ian Xue


    If the Answer is helpful, please click "Accept Answer" and upvote it.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.