Search code examples
powershellactive-directoryaclidentity

SetAccessRule - Some or all Identity references could not be translated

I have a script that creates a directory and a group in Active Directory. Only users in the group will have access to the directory. Most of the time it works just fine without any problems, but sometimes I get an Exception and I don't know why. Any ideas what the problem is?

My code:

[...]

New-ADGroup -Server $adserver -Path $adpath -Description $description -Name $groupname -GroupScope DomainLocal -GroupCategory Security
New-Item -Path $dirpath -Name "$dirname" -ItemType "directory"

Start-Sleep -s 30     #wait to make sure directory is created

$dp = "$dirpath\$dirname"

$Acl = Get-Acl $dp

#fileradmingroup
$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule($admingroup,"FullControl","ContainerInherit,ObjectInherit","None","Allow")
$Acl.SetAccessRule($Ar) 
Set-Acl $dp $Acl

#remove inherited permissions
$Acl.SetAccessRuleProtection($true,$false) 
Set-Acl -Path $dp -AclObject

#new created group $groupname
$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule($groupname,"DeleteSubdirectoriesAndFiles, Write, ReadAndExecute, Synchronize","ContainerInherit,ObjectInherit","None","Allow")
$Acl.SetAccessRule($Ar)     #this is the line where the exception occurs
Set-Acl $dp $Acl

[...]

And here is the Exception:

Exception calling "SetAccessRule" with "1" argument(s): "Some or all identity
references could not be translated."
At L:\Skripte\Skript2.ps1:178 char:9
+     $Acl.SetAccessRule($Ar)
+     ~~~~~~~~~~~~~~~~~~~~~~~
   + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
   + FullyQualifiedErrorId : IdentityNotMappedException
Solution

  • I had the same kind of challenge recently when creating new user accounts and home directories in an environment with lots of domain controllers spread over multiple sites. My solution was to use the sid of the newly created account.

    I changed the line where the group is created and the line where the access rule is created. The Start-Sleep should not be needed and is commented out.

    I hope it works in your situation.

    $NewGroup = New-ADGroup -Server $adserver -Path $adpath -Description $description -Name $groupname -GroupScope DomainLocal -GroupCategory Security -PassThru
New-Item -Path $dirpath -Name "$dirname" -ItemType "directory"

#Start-Sleep -s 30     #wait to make sure directory is created

$dp = "$dirpath\$dirname"

$Acl = Get-Acl $dp

#fileradmingroup
$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule($admingroup,"FullControl","ContainerInherit,ObjectInherit","None","Allow")
$Acl.SetAccessRule($Ar) 
Set-Acl $dp $Acl

#remove inherited permissions
$Acl.SetAccessRuleProtection($true,$false) 
Set-Acl -Path $dp -AclObject

#new created group $groupname
$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule($NewGroup.SID,"DeleteSubdirectoriesAndFiles, Write, ReadAndExecute, Synchronize","ContainerInherit,ObjectInherit","None","Allow")
$Acl.SetAccessRule($Ar)     #this is the line where the exception occurs
Set-Acl $dp $Acl