Set-Acl Access denied

Hy all

I created a powershellscript, which delete folder permissions and set new ones on the userprofile folder, which is stored on a fileserver. The permissions of the user are not inherited, they are directly set on it.

The script works fine as long the flag "Inlcude inheritable permissions from this object's parent" is set. If i remove the flag an choice "add" then following error message is shown after script running:

ERROR: Set-Acl : The process does not possess the 'SeSecurityPrivilege' privilege which is required for this operation.

set_ntfs_folder_permissions.ps1 (55): ERROR: At Line: 55 char: 16

ERROR: + Set-ACL <<<< $SNA_Profilshare $ACL

ERROR: + CategoryInfo : PermissionDenied: (\\wma271740\c$\test\marcgenn:String) [Set-Acl], PrivilegeNotHeldException

ERROR: + FullyQualifiedErrorId : System.Security.AccessControl.PrivilegeNotHeldException,Microsoft.PowerShell.Commands.SetAclCommand

ERROR:

ACE für prod\marcgenn auf \\wma271740\c$\test\marcgenn erfolgreich entfernt

ERROR: Set-Acl : The process does not possess the 'SeSecurityPrivilege' privilege which is required for this operation.

set_ntfs_folder_permissions.ps1 (83): ERROR: At Line: 83 char: 8

ERROR: + Set-ACL <<<< $SNA_Profilshare $acl

ERROR: + CategoryInfo : PermissionDenied: (\\wma271740\c$\test\marcgenn:String) [Set-Acl], PrivilegeNotHeldException

ERROR: + FullyQualifiedErrorId : System.Security.AccessControl.PrivilegeNotHeldException,Microsoft.PowerShell.Commands.SetAclCommand

Script: 

#Global Parameter
$Profilserver = "\\wma271740\c$\test"
#Get Directory Folders
$folders = Get-ChildItem -Path $Profilserver | Where-Object {$_.psIsContainer -eq $true} | Select-Object name

#Logfile PRofilserver and Folders
#####################################start_script#########################################################
$logfile_Profileserver = "c:\temp\log_profle.txt"
get-date | set-content $logfile_Profileserver

"Profilserver: $Profilserver" | Add-content $logfile_Profileserver
foreach ($log_folder in $folders)
{
$log_folder.name | Add-content $logfile_Profileserver 
}
#######################################end_script#########################################################

#Function set new acl

function setnewacl($SNA_folder,$SNA_Profilserver)
{
#Logfile
##########start##########
$logfile_Profileserver_Action = "c:\temp\log_profile_action.txt"
get-date | add-content $logfile_Profileserver_Action
"SNA_Folder: $SNA_folder" | Add-Content $logfile_Profileserver_Action
"SNA_Profileserver: $SNA_Profilserver" | Add-Content $logfile_Profileserver_Action
##########end##########
 
#ACL remove
#####################################start_script#########################################################
$SNA_Profilshare = $("$SNA_Profilserver\$SNA_folder")
$IdentityRef = $("prod\$SNA_folder")  #User oder Group

#Logfile
##########start##########
"SNA_Profilshare: $SNA_Profilshare" | Add-Content $logfile_Profileserver_Action  
"IdentityRef: $IdentityRef" | Add-Content $logfile_Profileserver_Action
##########end##########
 
$ACL = Get-ACL $SNA_Profilshare
$ACEs=(Get-Acl $SNA_Profilshare).Access | where {$_.IdentityReference -eq $IdentityRef}
$ACEs | foreach{
       try
     {
        $null=$ACL.RemoveAccessRule($_)
        Set-ACL $SNA_Profilshare $ACL
        "`r`n ACE für $IdentityRef auf $SNA_Profilshare erfolgreich entfernt" | Add-Content $logfile_Profileserver_Action
     "ACE für $IdentityRef auf $SNA_Profilshare erfolgreich entfernt"
        }
       catch
     {
        "`r`n keine ACE für $IdentityRef auf $SNA_Profilshare vorhanden" | Add-Content $logfile_Profileserver_Action
     "keine ACE für $IdentityRef auf $SNA_Profilshare vorhanden"
        }
    }
#####################################end_script######################################################### 
 
#ACL define and set
#####################################start_script######################################################### 

#Define Parameters
$person   = [System.Security.Principal.NTAccount]“Prod\$SNA_folder“
$access   = [System.Security.AccessControl.FileSystemRights]“Modify“
$inheritance  = [System.Security.AccessControl.InheritanceFlags]“containerInherit,ObjectInherit”
$propagation  = [System.Security.AccessControl.PropagationFlags]“none“
$type    = [System.Security.AccessControl.AccessControlType]“Allow“
$acl   = Get-Acl $SNA_Profilshare

#create the accessrule object based on the previous parameters.
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($person,$access,$inheritance,$propagation,$type)

#add the new access rule to the existing ACL so that the inherited permissions are still there.
$acl.AddAccessRule($accessRule)
Set-ACL $SNA_Profilshare $acl

"  `r`n ##############Ende####################  `r`n" | Add-Content $logfile_Profileserver_Action
#####################################end_script#########################################################
}

foreach ($folder in $folders)
{
setnewacl $folder.name $Profilserver;
}