Share via

Set-Acl folder permissions failed Error Code 87

Christopher Todd 1 Reputation point
2021-05-03T17:21:07.613+00:00 
$SAMname = "zPink.Panther"
$FullUserInfo = Get-ADUser -Filter "UserPrincipalName -eq '******@company.com'" -Properties SamAccountName,EmailAddress
$FullUser = ($FullUserInfo).SamAccountName
$ACLPathFull = "\\server\path\$SAMname"
$Rights = [System.Security.AccessControl.FileSystemRights]::FullControl
$Inherit = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit -bor [System.Security.AccessControl.InheritanceFlags]::ObjectInherit
$Propogation = [System.Security.AccessControl.PropagationFlags]::None
$Access = [System.Security.AccessControl.AccessControlType]::Allow
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("$FullUser",$Rights,$Inherit,$Propogation,$Access)
$ACL = Get-Acl $ACLPathFull
Start-Sleep 2
$ACL.AddAccessRule($AccessRule)
Start-Sleep 2
Set-Acl $ACLPathFull $ACL

Set-Acl will generate the following error (see attached or typed out version below)

Set-Acl : Method failed with unexpected error code 87.
At line:1 char:1

  • Set-Acl $ACLPathFull $ACL
  • ~~~~~~~~~~~~~~~~~~~~~~~~~
  • CategoryInfo : InvalidOperation: (\server\path\zPink.Panther:String) [Set-Acl], InvalidOperationException
  • FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.SetAclCommand

Server 1 - Does not work and gives the above error
Powershell Version : 5.1.14393.4350
Server 2016 v1607

Server 2 - Does work with no issues
Version : 5.1.17763.1852
Server 2019 v1809

I am admin on both servers, they are both trying to change the folder permissions the same way
Any feedback would be greatly appreciated.
Or is it as simple as the above versions are the cause?

whoami /priv has the same output

Windows for business | Windows Server | User experience | PowerShell
Windows for business | Windows Server | User experience | Other
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. MotoX80 37,156 Reputation points
    2021-05-03T18:22:17.58+00:00

    Instead of processing a network share, try using invoke-command and run that portion of the script on the target server itself against the local drive letter. 

     $SAMname = "zPink.Panther"
 $FullUserInfo = Get-ADUser -Filter "UserPrincipalName -eq '******@company.com'" -Properties SamAccountName,EmailAddress
 $FullUser = ($FullUserInfo).SamAccountName
 $ACLPathFull = "E:\Users\$SAMname"
 invoke-command -ComputerName server-name -ScriptBlock {
      $Rights = [System.Security.AccessControl.FileSystemRights]::FullControl
     $Inherit = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit -bor [System.Security.AccessControl.InheritanceFlags]::ObjectInherit
     $Propogation = [System.Security.AccessControl.PropagationFlags]::None
     $Access = [System.Security.AccessControl.AccessControlType]::Allow
     $AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("$using:FullUser",$Rights,$Inherit,$Propogation,$Access)
     $ACL = Get-Acl $using:ACLPathFull
     Start-Sleep 2
     $ACL.AddAccessRule($AccessRule)
     Start-Sleep 2
     Set-Acl $ACLPathFull $ACL
}

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.