In this post I want to share a solution for a problem that may occur when you want to copy pages or sites from a location to another inside a site collection, using the content and structure 'copy' option. You may receive this error :
System.InvalidOperationException: This access control list is not in canonical form and therefore cannot be modified.
At System.Security.AccessControl.CommonAcl.ThrowIfNotCanonical()
At System.Security.AccessControl.CommonAcl.RemoveInheritedAces()
At System.Security.AccessControl.CommonSecurityDescriptor.SetDiscretionaryAclProtection(Boolean isProtected, Boolean preserveInheritance)
At System.Security.AccessControl.ObjectSecurity.SetAccessRuleProtection(Boolean isProtected, Boolean preserveInheritance)
At Microsoft.SharePoint.Deployment.DataFileManager.<>c__DisplayClass1.<CreateDirectoryAsProcessAccount>b__0()
At Microsoft.SharePoint.Utilities.SecurityContext.RunAsProcess(CodeToRunElevated secureCode)
At Microsoft.SharePoint.Deployment.DataFileManager.CreateDirectoryAsProcessAccount(String strDir, Boolean allowCurrentUserWriteAccess)
At Microsoft.SharePoint.Deployment.SPExport.AutoGenerateDataFolder()
At Microsoft.SharePoint.Deployment.SPExport.Run()
At Microsoft.SharePoint.Publishing.Internal.DeploymentWrapper.Copy(String[] sourceSmtObjectIds, String destSmtObjectId)
At Microsoft.SharePoint.Publishing.Internal.WebControls.CopyObjects.Copy()
At Microsoft.SharePoint.Publishing.Internal.WebControls.CopyObjects.DoWork()
At Microsoft.SharePoint.Publishing.Internal.LongRunningOperationJob.<>c__DisplayClass16.<ThreadEntryPoint>b__11()
At Microsoft.Office.Server.Diagnostics.FirstChanceHandler.ExceptionFilter(Boolean fRethrowException, TryBlock tryBlock, FilterBlock filter, CatchBlock catchBlock, FinallyBlock finallyBlock)
The problem is that the ACL for the 'Windows\temp' directory is corrupted and therefore, the accounts WSS_WPG and WSS_ADMIN_WPG have no access to the folder to put temporary stuff.
The solution is to redefine the ACL:
- Right-Click on the folder Windows\temp
- Click on the Security tab
- Click on the Advanced button
- Ensure that the account WSS_ADMIN_WPG as the full control permission
- Ensure that the account WSS_WPG has the Read & execute permission.
- Select both 'Allow inheritable permissions...' and 'Replace permission entries...'
- Click OK.
A 1000 thanks for my colleague Frédéric Lévesque the 'Security guy' for helping troubleshooting the issue.
Hope this helps.