Databases
StackOverflow2013
Postsdbo
POIssues With New-ADGroup, Set-ACL and Network Folders
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POIssues With New-ADGroup, Set-ACL and Network Folders
    primarykey
    data
    text
    <p>I'm playing with some PowerShell code to dynamically generate AD security groups and then apply them to folders on a network share, but having issues with resolving the newly created group.</p> <p>Consider this:</p> <pre><code>import-module activedirectory for ($i = 0; $i -lt 10; $i++) { $group = New-ADGroup -Path "OU=Groups,OU=Department,DC=Domain,DC=Network" -Name "z-test-group-$i" -GroupScope DomainLocal -GroupCategory Security -PassThru $acl = Get-Acl C:\Temp $permission = $group.SID,"FullControl","Allow" $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission $acl.SetAccessRule($accessRule) $acl | Set-Acl C:\Temp } </code></pre> <p>Which works fine. </p> <p>However, if I change the folder to a network folder, such as G:\Temp, or \\domain.network\DFS\GroupShare\Temp, I get a 'Method failed with unexpected error code 1337'.</p> <p>I tired using SetACL.exe and received a similar error:</p> <pre><code>C:\Temp\SetACL.exe -on "\\domani.network\dfs\GroupShare\Temp" -ot file -actn ace -ace "n:$GroupSID;p:full;s:y" SetACL finished with error(s): SetACL error message: The call to SetNamedSecurityInfo () failed Operating system error message: The security ID structure is invalid. INFORMATION: Processing ACL of: &lt;\\?\UNC\domain.network\dfs\GroupShare\Temp&gt; </code></pre> <p>If I wait say 10 to 20 seconds, and run the Set-ACL (or SetACL.exe) portion of the code again, it completes successfully.</p> <p>At first I thought this was related directly to the domain controllers (4 of them which are a mix of 2003 and 2008 R2), but the fact that it worked fine on local folders was intriguing (and annoying). </p> <p>I did a Wireshark trace during the execution of the code on a local folder and then a network folder. The main difference is when trying to apply the ACLs to the network folder I see LDAP lookups and (amongst other things) the following SMB response:</p> <pre><code>NT Trans Response, FID: 0x0040, NT SET SECURITY DESC, Error: STATUS_INVALID_SID </code></pre> <p>Which I assume is what causes my Set-ACL command to fail. </p> <p>The underlying network filesystem is EMC Celerra 6.0.xx. I am very unfamiliar with this technology, however from what I understand it holds some kind of SID cache which would explain the above error (it doesn't yet know of the new group even though AD does).</p> <p>So I guess there are two questions:</p> <ol> <li>Is there any way around this (PowerShell/C# ect) that doesn't involve sleeping/waiting? IE, set the ACL even though the SID is invalid? </li> <li>If EMC Celerra is the issue (I assume it is), is there any way I can force it to update its 'SID cache' or whatever it may be?</li> </ol> <p>I have <a href="http://social.technet.microsoft.com/Forums/sv/winserverpowershell/thread/23d36485-3db7-4105-9b8b-e68c1208f15e" rel="nofollow noreferrer">read</a> <a href="https://stackoverflow.com/questions/3859969/powershell-script-failing-becuase-ad-objects-have-not-replicated-soon-enough">various</a> <a href="http://www.remkoweijnen.nl/blog/2011/09/02/settings-ntfs-permissions-by-sid-in-powershell/" rel="nofollow noreferrer">articles</a> about this issue, but none seem to have an effective resolution (or work for me).</p> <p>Thanks for your help.</p> <p>Rhys.</p>
    singulars
    1. PO
      singulars
      1. PTAnswer
    1. This table or related slice is empty.
    1. PTQuestion
    1. USCommunity
    1. USRhys Paterson
    plurals
    1. PL
      singulars
      1. LTLinked
    1. PL
      singulars
      1. LTLinked
    1. This table or related slice is empty.
    1. PO
      singulars
      1. PTAnswer
    2. PO
      singulars
      1. PTAnswer
    1. VO
      singulars
      1. POIssues With New-ADGroup, Set-ACL and Network Folders
      1. USJab
      1. VTFavorite
    1. This table or related slice is empty.
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload