xFileSystemAccessRule: "The security identifier is not allowed to be the owner of this object."

[oleksii-iaroshchuk]

I have the following simple rule to give "Modify" permission on the directory:

File WorkerRoleContent
{
    Ensure          = "Present"            
    DestinationPath = $workerRoleContentDir
    Type            = "Directory"    
}
xFileSystemAccessRule WorkerRoleContent
{
    DependsOn       = "[File]WorkerRoleContent"
    Path            = $workerRoleContentDir
    Identity        = $appUserName
    Rights          = "Modify"
    Ensure          = "Present"
}

When I apply this DSC configuration to clean system (no directory exists), everything works fine.
But when applying it on VM with already existing directory, I have the following error:

The security identifier is not allowed to be the owner of this object.

Googling a bit gave some results for Powershell Set-Acl cmdlet: http://www.mickputley.net/2015/11/set-acl-security-identifier-is-not.html
So, for now I implemented the following workaround using a Script resource:

Script WorkerRoleContent
{
    DependsOn = "[File]WorkerRoleContent"
    SetScript = {                
        $acl = (Get-Item $using:workerRoleContentDir).GetAccessControl('Access')
        $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($using:appUserName, 
            "Modify", "ContainerInherit, ObjectInherit", "None", "Allow")
        $acl.SetAccessRule($accessRule)
        Set-ACL $using:workerRoleContentDir $acl
    }
    TestScript = { 
        return $false 
    }
    GetScript = {
        @{ Result = "WorkerRoleContent directory" }
    }
}

As stated in refrenced article, main idea is to use (Get-Item $FolderPath).GetAccessControl('Access') instead of Get-ACL $FolderPath.

It seems like such fix must be used inside of xFileSystemAccessRule resource.

[johlju]

There was a fix for this that was not moved over here which means we could have an regression issue in this module now. See potential fix here https://github.com/dsccommunity/xSystemSecurity/pull/14/files.

[bendwyer]

I am experiencing the same behavior when removing rights from an existing directory.

Failed to invoke DSC Set method: The security identifier is not allowed to be the owner of this object.

@johlju - to implement your proposed fix, can I simply replace the necessary files with the ones in your link?

[johlju]

@bendwyer I think replacing the files will remove other things. I think you need to copy and replace/add the green marked code into the correct place in the corresponding files in this repo.

I would appreciate it a lot if you could give it a try. Let me know if you get stuck in any way. 🙂

[bendwyer]

Hi @johlju
I was able to make the changes to DSC_FileSystemAccessRule.psm1 and do some light testing. So far it's working. I did not update the DSC_FileSystemAccessRule.Tests.ps1 file as I don't really know what I would be doing there.

Would you like me to open a pull request with the updated file, or attach it here?

[johlju]

Awesome! Yes, please open a pull request and then I can help out with the unit tests.