Hello.

I have an issue where the script is running as a user account that has full control to the directory structure via membership to a Domain local group called 'Enterprise File Admins'. This group is tree'd from the root with full control.

The error in question is:

Set-Acl : The process does not possess the 'SeSecurityPrivilege' privilege which is required for this operation.

If I add to user account to the Domain Admins group the error go's away. (dont want to give the users in question domain admins though)

here is a sample of my script where the error is occuring at the Set-Acl line.

# Test paths and create with acls if they done exist
 
$Winntuser = "Test.User"
$newprofiledir = "\\fileserver\profiles\Test.User\Profile"
   
#PSCX trick to allow change ownership to different user
add-PSSnapin PSCX
$SeRestore = New-Object Pscx.Interop.TokenPrivilege "SeRestorePrivilege", $true
Set-Privilege $SeRestore

if (!(Test-Path -path $newprofiledir))
{   
     $a =  New-Item -type directory -path $newprofiledir -force

     $acl = Get-Acl -path $newprofiledir

     # user id
     $ownedby = $winntuser
     $principal = "domain\$ownedby"
  
     #
     ## define user access, inheritance, propagation
     $inheritance = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit -bor 
        [System.Security.AccessControl.InheritanceFlags]::ObjectInherit

     $propagation=[System.Security.AccessControl.PropagationFlags]::None
     $args = $principal, "Modify", $inheritance, $propagation, "Allow"
     $accessrule = New-Object System.Security.AccessControl.FileSystemAccessRule $args
     $acl.SetAccessRule($accessrule)

     ## define ownership
     $account = New-Object System.Security.Principal.NTAccount("domain","$ownedby")
     $acl.SetOwner($account)
   
     ## Writes new userpermissions to new directory
     Set-Acl -Path $newProfileDir -AclObject $acl   
}

Cheers Dods.

Any help would be gratefully appreciated

Hello again,

Here is an update to the things that I have tried and a workaround if you ever experience this problem.

More information on the environment:

The workstation computer account running the script is in the same AD domain as the DC. The user account running the script is an Administrator of the workstation.

The user account is a member of the enterprise file admins group. The group has been added to the computer policy of the DC - with access to the Restore Files Right. (I read that this will allow acl and ownership change rights on the server). The same group has full control permissions on the directory structure. I also added the user to the backup operators group on the domain.

Using PSCX im able to see using Set-Priviledge, and Get-Priviledge that the 'SeRestorePriviledge' is Enabled in the powershell session.

After all this I still get the Set-Acl error. (Adding the user to Domain Admins works - not good).

So for the time being I have given up on the Set-Acl cmdlet and found a free utility.

SetACL by Helge Klein

Homepage:        http://setacl.sourceforge.net

Parsing the SetAcl command like so fixes the problem for now hope this helps someone.

 Dods.

$a = c:\temp\setacl.exe  -on "$($newprofiledir)" -ot file -actn ace -ace "n:$($principal);p:change;i:so,sc,np;m:grant"
$b = c:\temp\setacl.exe -on "$($newprofiledir)" -ot file -actn setowner -ownr "n:$($principal)"