Solved

C# folder ACL process and adding user to groups dies with "Some or all identity references could not be translated"

Posted on 2010-09-02
1
1,124 Views
Last Modified: 2013-12-14
I think I know what's happening but I'm not sure of a work around...

I'm building a C# application to import 1000's of users, add them to their groups, create their homefolder and assigning rights to the folder.

In my test lab, it worked great with no errors.  Once I put this in a real world situation it failed, because I think it was due to multiple domain controllers not knowing about the user immediately after inserting it into AD.

The reason I say this is because when I re-run the application even though it threw an error before, the second time through it works just fine because the user had a chance to sync in the AD environment and it was found the second time through.

The fields below are as follows:
           szAccount = "domain\username"
            szFileName = "\\fileserver\share\username"
        // Adds an ACL entry on the specified directory for the specified account. 
        public static void AddDirectorySecurity(string szFileName, string szAccount, FileSystemRights szRights,
                                                InheritanceFlags ifInheritance, PropagationFlags pfPropogation,
                                                AccessControlType aclControlType)
        {
            // Create a new DirectoryInfo object. 
            DirectoryInfo dInfo = new DirectoryInfo(szFileName);
            // Get a DirectorySecurity object that represents the  
            // current security settings. 
            DirectorySecurity dSecurity = dInfo.GetAccessControl();
            // Add the FileSystemAccessRule to the security settings.  
            dSecurity.AddAccessRule(new FileSystemAccessRule(szAccount,
                                                             szRights,
                                                             ifInheritance,
                                                             pfPropogation,
                                                             aclControlType));
            // Set the new access settings. 
            dInfo.SetAccessControl(dSecurity);
        } 

Open in new window


I found a reference to someone using a SID mapping instead of an account name but I still don't see how that would work if the 2nd call happens to be to a domain controller that doesn't know about the user yet...?  I also couldn't seem to get the SID call with the above function working at all....

Any ideas out there?
0
Comment
Question by:sej69
1 Comment
 

Accepted Solution

by:
sej69 earned 0 total points
ID: 33606760
It turns out that using the SID instead of the username did take care of this problem.  From what I can tell, it places the SID on the folder without validation to AD so that's why it works.  I think this is the case since when the SID was applied on the folder and I looked at the properties quickly after creating it, then it showed the SID and not the user.  Within a few moments the username then showed in the properties of the folder.

This technique did not seem to work for adding users to groups though.  For that I ended up waiting until the very end then process group membership after all the users were created.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article introduced a TextBox that supports transparent background.   Introduction TextBox is the most widely used control component in GUI design. Most GUI controls do not support transparent background and more or less do not have the…
Performance in games development is paramount: every microsecond counts to be able to do everything in less than 33ms (aiming at 16ms). C# foreach statement is one of the worst performance killers, and here I explain why.
The viewer will learn how to use NetBeans IDE 8.0 for Windows to connect to a MySQL database. Open Services Panel: Create a new connection using New Connection Wizard: Create a test database called eetutorial: Create a new test tabel called ee…
THe viewer will learn how to use NetBeans IDE 8.0 for Windows to perform CRUD operations on a MySql database.

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now