Reputation: 11
AD not replicating new group so I can give it access to a folder
I hope you can help me with this issue. Simply can't seem to find any solution for it.
The Error:
Exception calling "AddAccessRule" with "1" argument(s): "Some or all identity references could not be translated."
I start out by creating the group:
Try {
Get-ADGroup -Identity $modifyGroup
} Catch {
New-ADGroup -Name $modifyGroup -GroupCategory Security -GroupScope Universal -Path $OU -ManagedBy $manager -Credential $adCred
}
Then I invoke onto my fileserver, and create the folder, this works fine. After, I make a new Invoke, where I want to grant the access to the group.
Invoke-Command -ComputerName $hostname -ScriptBlock {
$modifyGroup = $args[0];
$acl = Get-ACL -Path $path
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($modifyGroup, "Modify", "ContainerInherit,ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)
Set-ACL -Path $path -AclObject$acl
} -ArgumentList $modifyGroup -Credential $serverCred
I have looked into the Sync-ADObject command, doesn't seem to work because then I need to know which Domain Controller I am currently connected to, and which the server I am Invoking into, is connected to. So that didn't work. Also looked into the option using the "SID" of the new group. Doesn't work either. I get the same error.. Hopefully someone here have a suggestion :)
TIA
Upvotes: 0
Views: 104
Answers (1)
Reputation: 174485
I need to know which Domain Controller I am currently connected to
This first part is easy - you can simply contact a specific domain controller when calling New-ADGroup with the -Server parameter:
Try {
Get-ADGroup -Identity $modifyGroup
} Catch {
$sourceDC = Get-ADDomainController
$newGroup = New-ADGroup -Name $modifyGroup -Server $sourceDC -GroupCategory Security -GroupScope Universal -Path $OU -ManagedBy $manager -Credential $adCred -PassThru
}
and which the server I am Invoking into, is connected to
You could fetch the value of the %LOGONSERVER% environment variable from the remote machine to get the destination DC (it's always in UNC form, eg. \\DC-01, so we need to trim leading \'s):
$destinationDC = Invoke-Command -ComputerName $hostname { $env:LOGONSERVER.TrimStart('\') }
At which point you can use Sync-ADObject:
Try {
Get-ADGroup -Identity $modifyGroup
} Catch {
$sourceDC = Get-ADDomainController
$newGroup = New-ADGroup -Name $modifyGroup -Server $sourceDC -GroupCategory Security -GroupScope Universal -Path $OU -ManagedBy $manager -Credential $adCred -PassThru
$destinationDC = Invoke-Command -ComputerName $hostname { $env:LOGONSERVER.TrimStart('\') }
Sync-ADObject -Object $newGroup -Source $sourceDC -Destination $destinationDC
}
Upvotes: 1
Related Questions
- Adding an AD Group to a large Public drive via Powershell
- Adding AD group to another AD group
- Why Isn't New-ADuser Copying Group Memberships?
- PowerShell Script Not Working As Intended When Getting AD Groups
- PowerShell can't find user in AD when trying to add group membership
- Trying to add global security groups to a folder
- Adding user to group after running New-ADUser
- At wits end with powershell add-adgroupmember
- Single PowerShell Script to Create Folder, AD Groups, and Apply New Groups to Folder
- Set-ADGroup cannot find group just created in same script (PowerShell)