Saturday, March 6, 2010

System.InvalidOperationException: This access control list is not in canonical form and therefore cannot be modified


In this post I want to share a solution for a problem that may occur when you want to copy pages or sites from a location to another inside a site collection, using the content and structure 'copy' option. You may receive this error :
System.InvalidOperationException: This access control list is not in canonical form and therefore cannot be modified.


At System.Security.AccessControl.CommonAcl.ThrowIfNotCanonical()
At System.Security.AccessControl.CommonAcl.RemoveInheritedAces()
At System.Security.AccessControl.CommonSecurityDescriptor.SetDiscretionaryAclProtection(Boolean isProtected, Boolean preserveInheritance)
At System.Security.AccessControl.ObjectSecurity.SetAccessRuleProtection(Boolean isProtected, Boolean preserveInheritance)
At Microsoft.SharePoint.Deployment.DataFileManager.<>c__DisplayClass1.<CreateDirectoryAsProcessAccount>b__0()
At Microsoft.SharePoint.Utilities.SecurityContext.RunAsProcess(CodeToRunElevated secureCode)
At Microsoft.SharePoint.Deployment.DataFileManager.CreateDirectoryAsProcessAccount(String strDir, Boolean allowCurrentUserWriteAccess)
At Microsoft.SharePoint.Deployment.SPExport.AutoGenerateDataFolder()
At Microsoft.SharePoint.Deployment.SPExport.Run()
At Microsoft.SharePoint.Publishing.Internal.DeploymentWrapper.Copy(String[] sourceSmtObjectIds, String destSmtObjectId)
At Microsoft.SharePoint.Publishing.Internal.WebControls.CopyObjects.Copy()
At Microsoft.SharePoint.Publishing.Internal.WebControls.CopyObjects.DoWork()
At Microsoft.SharePoint.Publishing.Internal.LongRunningOperationJob.<>c__DisplayClass16.<ThreadEntryPoint>b__11()
At Microsoft.Office.Server.Diagnostics.FirstChanceHandler.ExceptionFilter(Boolean fRethrowException, TryBlock tryBlock, FilterBlock filter, CatchBlock catchBlock, FinallyBlock finallyBlock)
The problem is that the ACL for the 'Windows\temp' directory is corrupted and therefore, the accounts WSS_WPG and WSS_ADMIN_WPG have no access to the folder to put temporary stuff. 

The solution is to redefine the ACL:


  1. Right-Click on the folder Windows\temp
  2. Click on the Security tab
  3. Click on the Advanced button
  4. Ensure that the account WSS_ADMIN_WPG as the full control permission
  5. Ensure that the account WSS_WPG has the Read & execute permission.
  6. Select both 'Allow inheritable permissions...' and 'Replace permission entries...'
  7. Click OK. 
A 1000 thanks for my colleague Frédéric Lévesque the 'Security guy' for helping troubleshooting the issue.

Hope this helps.