Today I tried to copy the access control list from one securable object to another by calling GetAccessControl on the source and supplying that object to SetAccessControl on the destination. PowerShell printed no errors, but it didn't work - the ACL was not updated on the target.
Instead, I needed to get the binary form of the source's ACL and set that as the binary form of the destination's ACL. That can be done with GetSecurityDescriptorBinaryForm and SetSecurityDescriptorBinaryForm, respectively. Actually saving the altered ACL to the object seems to always require SeRestorePrivilege enabled, even if the owner isn't actually changed.
No comments:
Post a Comment