PowerShell SetAccessRule for ACL failing

Question

The script I've done creates a folder and security groups that is later added to the folder in question with special permissions. The problem is that the script fails on "$acl.SetAccessRule($rule_modify)" and complains about the identity.

Error: "Exception calling "SetAccessRule" with "1" argument(s): "Some or all identity references could not be translated."

If I run the script row by row by simply using copy/paste from ISE into a regular PowerShell window everything goes through without errors using the same location and user.

This is the important bit that isn't working.

#Get ACL list
$acl = Get-Acl -Path $Path 
$acl.SetAccessRuleProtection($false,$false)

#Add permission for modify
$set_modify = "INTRA\FIL_$($Department)_$($Group)_Modify", 'DeleteSubdirectoriesAndFiles, Write, ReadAndExecute, Synchronize', 'ContainerInherit, ObjectInherit', 'None', 'Allow'
$rule_modify = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $set_modify
$acl.SetAccessRule($rule_modify)
$acl | Set-Acl $path

Answer 1

Another case: I have got the error Exception calling SetAccessRule... because I have set the account without the domain, so - with the question's example - I have put .\FIL_$($Department)_$($Group)_Modify instead of INTRA\FIL_$($Department)_$($Group)_Modify.

Answer 2

Had a similar issue while creating shares on remote file servers.

At first, I'd used the proposed solution (start-sleep), but it was not good enough as it significantly increased the time consumed while processing a lot of shares.

It turns out that you may use SID while defining your ACE and operation is instant:

$TempSID = (Get-ADGroup "FIL_$($Department)_$($Group)_Modify").SID
$PermissionModify = "Write, Read, ListDirectory, ReadAndexecute, DeleteSubdirectoriesAndFiles"
$Inherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit, ObjectInherit"
$Propagation = [system.security.accesscontrol.PropagationFlags]"None"
$Type = "Allow"

$modifyRule = New-Object System.Security.AccessControl.FileSystemAccessRule($TempSID, $PermissionModify, $Inherit, $Propagation, $Type)

Seems that Active Directory needs some time (in my case 2 seconds) to translate SID to the group name (in DOMAIN\groupName format).

Answer 3

I had basicly the same issue but with "AddAccessRule".

$Acl.AddAccessRule($Ar)

My Script failed with the above mentioned error. Just as Patrik Persson mentioned, in my case it was also because AD was slow on showing new groups and the Ar could not be added until the security group showed up in my AD.

So i added a try/catch with a do/until loop to my script which i want to share:

do {
  $check = 'ok'
  try {
    $Acl.AddAccessRule($Ar)
  } catch [System.Management.Automation.RuntimeException] {
    $_.Exception.Message
    $check = 'error'
    Start-Sleep -Seconds 2
  }
} until (
  $check -eq 'ok'
)

So the loop continues until AD registers the security group correctly. After that the Ar is added to the acl and my script continues as expected.

Answer 4

I have found the solution and it fails because ActiveDirectory is too slow to recognize that the security group is created propery before adding it to the ACL.

Solution I went with was to add a 10 second sleep after groups and folder was created and it now works as intended.

Answer 5

You might want to expand all the strings you're using to build your security group name into a clean variable - I find that can be touchy. Make sure that $secgroup contains the right string value when you've constructed it.

You can create the rule together with the object type on one line as well.

$secgroup = "INTRA\FIL_$($Department)_$($Group)_Modify"
$modifyRule = New-Object System.Security.AccessControl.FileSystemAccessRule($secgroup,'DeleteSubdirectoriesAndFiles, Write, ReadAndExecute, Synchronize','ContainerInherit, ObjectInherit','None','Allow')

By the way, if essentially you want your users to have Modify rights on the contents without being able to delete the parent folder, it should work if you set the InheritOnly flag (I haven't tested it).

$modifyRule = New-Object System.Security.AccessControl.FileSystemAccessRule($secgroup,'Modify, Synchronize', 'ContainerInherit, ObjectInherit','InheritOnly','Allow')