The only source of knowledge is experience

How to fix “Error: This access control list is not in canonical form and therefore cannot be modified. Error count: 1”

In my previous post about Deploying ASP.NET 4.5 to Docker on Windows I forgot to mention that you might run into an issue when running webdeploy.

Julian Perrott, commented on my post and asked if this is an issue. I think it is an issue and that the install does not complete correctly. But there is an easy fix for this as well. What you can do is add a small PowerShell script to your Docker image and run that after the first attempt to deploy the website. Then the next step is to run the script to fix the ACL’s and then again run web deploy. I have not yet tried this on the latest Windows server 2016 bits, but on the Technical preview 5 this worked like a charm.

You need the following script to fix the ACL’s:

This script doe nothing more then getting the ACL on the path and then re-apply it. this will make windows fix the ACL and make them in canonical form again.

You can add this to your dockerfile and make it part of your standard install of a website in your release pipeline.

So this does nothing more then adding the little PowerShell script to the container and then using that in the step after deploying your website

Hope this helps!


  1. Arpit Gaur

    I have Windows Server 2016 machine (OS Build number 14393.693) machine and this is not working there.
    Tell me where to make the fixAcls.ps1 on my local machine, as it is not mentioned,
    and trying various permutations-combinations is doing nothing good but giving errors.

    • Marcel

      the fix acl script is applied to the files just installed on the website with webdeploy after running the script and re-running webdeploy it should work

      • Rabosa

        It did not work for me until I fixed the .deploy.cmd file removing the return exit 1 statement in the whole file.

  2. bouda

    can you try it on windows server it doesn’t work for me

  3. Tyler

    Brilliant! This worked! This is the only answer that didn’t say that the fix is to simply open the security tab of the folder. Also, how pathetic, that this error even exists, much less that the fix is the capture the folder’s own ACL, then apply it’s own ACL to itself.

  4. Shaun Kiesewetter

    Thanks this worked for me on WindowsServerCore 2016 container.
    Here is the docker run command …

    #Set ACL for site directories network service
    RUN $StartingDir = ‘C:\inetpub\wwwroot\Vimago’;

    Write-Host 'Fixing ACL for:C:\inetpub\wwwroot\Vimago\ScalableWebSite';
    $path = ‘C:\inetpub\wwwroot\Vimago\ScalableWebSite’;
    $aclfix = Get-Acl $path;

    Set-Acl $path $aclfix;

    $rule = New-Object System.Security.AccessControl.FileSystemAccessRule('NetworkService', 'FullControl', 'Allow');
    foreach ($file in $(Get-ChildItem $StartingDir -recurse | ?{ $_.PSIsContainer })) {
    Write-Host 'Setting ACL for: '$file.FullName;

    $Acl=get-acl $file.FullName;
    #Fix connonical form in ACL

    set-acl $File.Fullname $Acl;};

    I only applied this to the parent directory and it all worked.

    • Daniel

      Thanks Shaun: your version of script it worked on Microsoft Windows Server 2016 Datacenter/10.0.14393.0 – Microsoft/iis Docker image with WebDeploy 3.6.
      Anyway it’s still annoying that I have to deploy the website twice and that this error still exists in 2018.

      • David

        I found that it is not necessary to deploy the website twice. I simply created the folder in PowerShell in advance and applied the fix.

        $acl_path = “C:\inetpub\wwwroot\mynewapp”;

        if (-not (Test-Path $acl_path)) {
        Write-Host “ACL FIX on $acl_path”
        New-Item -ItemType directory -Path $acl_path -Force
        $acl = Get-Acl $acl_path
        Set-Acl $acl_path $acl

  5. Marcos Leal

    Fantastic yet simple solution! It applies not only for dockerized apps but for any release pipeline configured in TFS for example. I’ve put this script prior to the final step of the release definition and now we don’t get failed releases for this error anymore.

Leave a Reply

Your email address will not be published. Required fields are marked *

© 2022 Fluentbytes

Theme by Anders NorenUp ↑