Taking Ownership Fails With UNC Path, Works Locally!?! Why?

Here is an interesting tidbit related to Windows security:

  1. Create a test file share, e.g. C:\temp\test, and share it with full permissions for eveyone (share, not NTFS permissions) as “test”
  2. Create the following directory hierarchy below the share: C:\temp\test\1\2\3\4
  3. Assign ownership of the four folders 1, 2, 3 and 4 to any user (but do not use your own account, just anyone else’s)
  4. Set permissions on 1, 2, 3 and 4 that only the user from the previous step has full access, nobody else, not even the SYSTEM
  5. Now try to use SetACL to change the owner of directory “4” over the network (SetACL uses backup and restore privileges so this should be no problem) by issuing the following command locally:
    setacl -on \\localhost\test\1\2\3\4 -ot file -actn setowner -ownr n:domain\administrator
  6. SetACL will fail with access denied (full message: “ERROR: Writing SD to <\\?\UNC\localhost\test\1\2\3\4> failed with: Access is denied.”)
  7. Now issue the same command, but instead of using a UNC path use the local drive letter:
    setacl -on c:\temp\test\1\2\3\4 -ot file -actn setowner -ownr n:domain\administrator
  8. That works!

Why is this so? I have no clue.

This is also documented in the FAQ for SetACL.

, , ,

3 Responses to Taking Ownership Fails With UNC Path, Works Locally!?! Why?

  1. JHouseConsulting August 4, 2010 at 01:56 #

    Hi Helge,With respect, this could have something to do with the way you've coded setacl, and is no different to some of the challenges with other Microsoft tools.Moving forward, since Windows 2003 SP2 + hotfix KB947870, I've been using combinations of takeown.exe and icacls.exe successfully, including UNC paths, DFS locations, etc.Cheers,Jeremy.

  2. Helge August 4, 2010 at 21:10 #

    JHouseConsulting,I just found a workaround to the issue described in the article. It is included in the code for SetACL 2.1.However, I still think that the original issue might be a bug in the API function SetNamedSecurityInfo.

  3. JHouseConsulting August 6, 2010 at 03:07 #

    :) Maybe that's the same workaround they added to icacls.exe as per hotfix KB947870.

Leave a Reply