powershell - Why does Set-Acl on the drive root try to set ownership of the "object"?

Question

I would like to change the ACL of the C: drive. What im trying to do is remove the permission that a user can create a folder directly on the drive. I tested the script on another folder while writing it. It worked without a problem. After completion i tried the script in our test envoirnment on the actual drive. I get an error that i cant figure out. If i remove the permission manualy it works without a problem. Anyone got an idea?

$path = "C:"

$colRights = [System.Security.AccessControl.FileSystemRights]"CreateDirectories"

$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::None 
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None 

$objType =[System.Security.AccessControl.AccessControlType]::Allow 
$objUser = New-Object System.Security.Principal.NTAccount("Authenticated Users") 
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule ($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType) 

$objACL = Get-ACL $path 
$objACL.RemoveAccessRule($objACE) 

Set-ACL $path $objACL

The error is:

Set-Acl : The security identifier is not allowed to be the owner of this object.
At C:UsersmhodlerDesktopRemove Permission.ps1:57 char:8
+ Set-ACL <<<<  $path $objACL
    + CategoryInfo          : InvalidOperation: (C::String) [Set-Acl], InvalidOperationException
+ FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.SetAclCommand

Answer 1

I found the answer. Microsoft says

Unfortunately Get-Acl is missing some features. It always reads the full security descriptor even if you just want to modify the DACL. That’s why Set-ACL also wants to write the owner even if you have not changed it. Using the GetAccessControl method allows you to specify what part of the security descriptor you want to read.

Replace the Get-Acl call with

$acl = (Get-Item $path).GetAccessControl('Access')