SetAccessRule-无法转换某些或所有身份参考

时间:2019-02-20 13:13:22

标签: powershell active-directory acl identity

我有一个脚本,可以在Active Directory中创建目录和组。只有组中的用户才能访问该目录。在大多数情况下,它工作正常,没有任何问题,但有时会出现异常,并且不知道为什么。任何想法是什么问题吗?

我的代码:

[...]

New-ADGroup -Server $adserver -Path $adpath -Description $description -Name $groupname -GroupScope DomainLocal -GroupCategory Security
New-Item -Path $dirpath -Name "$dirname" -ItemType "directory"

Start-Sleep -s 30     #wait to make sure directory is created

$dp = "$dirpath\$dirname"

$Acl = Get-Acl $dp

#fileradmingroup
$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule($admingroup,"FullControl","ContainerInherit,ObjectInherit","None","Allow")
$Acl.SetAccessRule($Ar) 
Set-Acl $dp $Acl

#remove inherited permissions
$Acl.SetAccessRuleProtection($true,$false) 
Set-Acl -Path $dp -AclObject

#new created group $groupname
$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule($groupname,"DeleteSubdirectoriesAndFiles, Write, ReadAndExecute, Synchronize","ContainerInherit,ObjectInherit","None","Allow")
$Acl.SetAccessRule($Ar)     #this is the line where the exception occurs
Set-Acl $dp $Acl

[...]

这是例外:

Exception calling "SetAccessRule" with "1" argument(s): "Some or all identity
references could not be translated."
At L:\Skripte\Skript2.ps1:178 char:9
+     $Acl.SetAccessRule($Ar)
+     ~~~~~~~~~~~~~~~~~~~~~~~
   + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
   + FullyQualifiedErrorId : IdentityNotMappedException

1 个答案:

答案 0 :(得分:0)

最近,在具有多个域控制器分布在多个站点上的环境中创建新的用户帐户和主目录时,我遇到了同样的挑战。我的解决方案是使用新创建帐户的sid。

我更改了创建组的行和创建访问规则的行。不需要启动睡眠,并已将其注释掉。

我希望它在您的情况下有效。

$NewGroup = New-ADGroup -Server $adserver -Path $adpath -Description $description -Name $groupname -GroupScope DomainLocal -GroupCategory Security -PassThru
New-Item -Path $dirpath -Name "$dirname" -ItemType "directory"

#Start-Sleep -s 30     #wait to make sure directory is created

$dp = "$dirpath\$dirname"

$Acl = Get-Acl $dp

#fileradmingroup
$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule($admingroup,"FullControl","ContainerInherit,ObjectInherit","None","Allow")
$Acl.SetAccessRule($Ar) 
Set-Acl $dp $Acl

#remove inherited permissions
$Acl.SetAccessRuleProtection($true,$false) 
Set-Acl -Path $dp -AclObject

#new created group $groupname
$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule($NewGroup.SID,"DeleteSubdirectoriesAndFiles, Write, ReadAndExecute, Synchronize","ContainerInherit,ObjectInherit","None","Allow")
$Acl.SetAccessRule($Ar)     #this is the line where the exception occurs
Set-Acl $dp $Acl
相关问题
最新问题