tags:

views:

53

answers:

3
Q: 

PowerShell: Script failing becuase AD objects have not replicated soon enough

I have a script that creates two groups, a hand full of folders, and sets permissions on those folders. In my testing environment all of these processes work without issue but in my production environment I run into a problem. Setting the permissions on the folders fail since the groups I created have not replicated through all 8 of my domain controllers. Can have PowerShell work with only one of the DC's so I don't have to wait for the replication? Should I put the script to sleep for X seconds? Or is there some way to see if the groups are on all the DC's or at least on the one I am working?

This is how I am making the groups:

New-ADGroup -Name $Admin_GRP -path "OU=Users,OU=Sandbox,DC=test,DC=local" -GroupScope Global
New-ADGroup -Name $User_GRP -path "OU=Users,OU=Sandbox,DC=test,DC=local" -GroupScope Global

This is how I am setting the permissions on one of the folders:

#Set permissions on root directory
$ACL = Get-Acl $PathToFolder
#For Admin
$Permission = $Admin_GRP,"Write,ReadAndExecute,Synchronize,DeleteSubdirectoriesAndFiles","Allow"
$Access_Rule = New-Object System.Security.AccessControl.FileSystemAccessRule $Permission
$ACL.AddAccessRule($Access_Rule)
$ACL | Set-Acl $PathToFolder
#For Users
$Permission = $User_GRP,"ReadAndExecute,Synchronize","Allow"
$Access_Rule = New-Object System.Security.AccessControl.FileSystemAccessRule $Permission
$ACL.AddAccessRule($Access_Rule)
$ACL | Set-Acl $PathToFolder
A: 

Set the permission on the SID of the new group instead of it's name/samaccountname.

Remko  2010-10-05 08:28:29
I am getting the same error "Exception calling "Translate" with "1" argument(s): "Some or all identity references could not be translated."At :line:36 char:83+ $Admin_SID = (new-object system.security.principal.NtAccount($Admin_GRP)).translate <<<< ([system.security.principal.securityidentifier]).value"
pizzim13  2010-10-05 13:29:12
Yes you are running into the same problem here, you should read the SID from the created object (I assume $Admin_GRP is the accountname and not an object)
Remko  2010-10-05 15:27:12
A: 

I decided to use a while loop to check for the group replication.

#Wait for group replication
while ($Admin_GRP_CHK -ne 'group')
{$Admin_GRP_CHK = (Get-ADGroup $Admin_GRP).ObjectClass
trap {'Admin group not replicated yet. Waiting 10 seconds.' -f $_.Exception.Message;    continue}
Start-Sleep -Seconds 10
}
Write-Host 'Admin group exists'
pizzim13  2010-10-06 14:14:03
In a larger AD environment it may take a while for the replication so I think this is a bad approach.
Remko  2010-10-14 09:12:58
+1  A: 

In the past, when writing shell scripts, I've called NLTEST.EXE to point the current PC/server at a specific DC (I normally choose the PDC emulator). I can't remember which switch I used. Not sure if this will help.

Simon Catlin  2010-10-07 21:30:24

related questions

Querying Active Directory with "SQL"?
Can I get more than 1000 records from a DirectorySearcher in Asp.Net?
How to get AD User Groups for user in Asp.Net?
Attempting to update a user's "connect to:" home directory path in AD using C#
Monitoring group membership in Active Directory more efficiently (C# .NET)
How do I speed up data retrieval from .NET AD within ColdFusion
How do you authenticate against an Active Directory server using Spring Security?
Managing large user databases for single-signon.
Move Active Directory Group to Another OU using Powershell
How to move SharePoint sites from one active directory domain to another?
When did I last talk to my Domain Server?
Using ActiveDirectoryMembershipProvider with two domain controllers
I am having trouble getting phpBB to authenticate with our Active Directory
How do I use ADAM to run unit tests?
COMException "Library not registered." while using System.DirectoryServices
Caching Active Directory Data
Windows / Active Directory - User / Groups
Get a list of available domains (NT4 and Active Directory)
How do I use NTLM authentication with Active Directory
I/O permission settings using .net installer
quoting System.DirectoryServices.ResultPropertyCollection
How do you impersonate an Active Directory user in Powershell?
Setting Group Type for new Active Directory Entry in VB.NET
Is there a way for MS Access to grab the current Active Directory user?
Checklist for IIS 6/ASP.NET Windows Authentication?