Windows – Fixing “This access control list is not in canonical form” errors from the command line

access-control-listwindows

On several of our developer workstations, we've been getting the dreaded "This access control list is not in canonical form and therefore cannot be modified." error when we try and set permissions on certain folders. We haven't been able to figure out what is corrupting these ACLs.

Right now, the only way I know to fix it is to right-click the corrupted folder/file, choose Properties and click the Security tab. Windows will then notice the corruption and offer to fix it. I don't like this because it is manual and requires the user to do some investigations to figure out what folder/file is corrupt.

Is there a script or program somewhere that will do this automatically? I see that icacls has a /verify parameter, but it just shows me that the ACLs on a file/folder are corrupted. It doesn't offer to fix anything.

Best Answer

I was finally able to figure an automated fix for this. When you call PowerShell's Set-Acl cmdlet, it will re-order the ACLs correctly:

$path = C:\Path\To\Item\With\Borked\ACL
$acl = Get-Acl $path
Set-Acl $path $acl

Of course, it could be a parent of the directory that is messed up, so you should do some traversing to find the culprit. Use icacls C:\Path\To\Item\With\Suspect\CL /verify to figure out if something needs repair.

In our environment, Cygwin is the likely culprit: when it creates directories, it likes to give POSIX-style permissions on them, instead of relying on Windows to manage file system security.

Related Topic