Question

我有一个powershell脚本，可以在一次运行中创建多个Active Directory用户。我的问题是为主目录分配ACL权限。如果只有一个用户可以创建，它似乎总能工作。但是，如果有多个帐户，则在第一个帐户可能失败或可能有效之后。这是一个非常间歇性的问题，尽管它们似乎失败的不仅仅是工作。

以下是生成ACL的代码：

    Function CreateHomeDirectory{

$global:samAccountName = "myaccount"
$global:homeDirectory = "\\path\to\myaccount"

    New-Item -Path $global:homeDirectory -Type Directory -Force

            $Rights = [System.Security.AccessControl.FileSystemRights]::Read -bor [System.Security.AccessControl.FileSystemRights]::Write -bor [System.Security.AccessControl.FileSystemRights]::Modify -bor [System.Security.AccessControl.FileSystemRights]::FullControl
            $Inherit = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit -bor [System.Security.AccessControl.InheritanceFlags]::ObjectInherit
            $Propogation = [System.Security.AccessControl.PropagationFlags]::None
            $Access = [System.Security.AccessControl.AccessControlType]::Allow
            $AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($global:samAccountName,$Rights,$Inherit,$Propogation,$Access)
            $ACL = Get-Acl $global:homeDirectory
            $ACL.AddAccessRule($AccessRule)
            $Account = new-object system.security.principal.NTAccount($global:samAccountName)
            $ACL.setowner($Account)
            $ACL.SetAccessRule($AccessRule)
            Set-Acl $global:homeDirectory $ACL

            Return

以下是我目前遇到的错误。他们似乎时不时地改变，但我会说这些是非常一致的：

    Exception calling "AddAccessRule" with "1" argument(s): "Some or all identity references could not be translated."
At H:\Scripts\Create.ps1:274 char:10
+                $ACL.AddAccessRule($AccessRule)
+                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : IdentityNotMappedException

Exception calling "SetOwner" with "1" argument(s): "Some or all identity references could not be translated."
At H:\Scripts\Create.ps1:276 char:10
+                $ACL.setowner($Account)
+                ~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : IdentityNotMappedException

Exception calling "SetAccessRule" with "1" argument(s): "Some or all identity references could not be translated."
At H:\Scripts\Create.ps1:277 char:10
+                $ACL.SetAccessRule($AccessRule)
+                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : IdentityNotMappedException

花了很多时间在这上面并且无处可去。任何建议将不胜感激。

Answer 1

根据错误“部分或全部身份引用无法翻译。”，当您尝试使用目录时（或计算机所连接的目录中）仍然不存在这样的用户

在尝试使用它之前，我会先尝试在目录中查找用户。在使用之前检查$Account的值。

分配AD权限时ACL错误

1 个答案: