ICACLS.exe inconsistencies

On a Windows Server 2008 R2 system, we heavily use ICACLS.exe within a sizeable command-line batch file script for creating dedicated security groups, creating a specific folder tree, and assigning very specific NTFS permissions to numerous folders within the tree.

The first iteration of the script used XCACLS.vbs, which was very effective, but very slow.  Each use of XCACLS.vbs in the script could take anywhere from 0.25 seconds to more than 120 seconds to complete depending on network and server load factors at the time the script was run.  The script contains approximately 75 separate commands to set specific, granular ACL entries on individual folders.

When we upgraded to Windows Server 2008 R2, we discovered the hard way that XCACLS.vbs doesn't support the newer OS, so we revamped the script to use ICACLS.exe, which turned out to be far, FAR faster anyway.

However, we have come across some odd, inconsistent anomalies when using the script.  Every now and then, we'll discover that some ACLs were not changed after the script has completed.  We generally try to keep an eye on the script results to ensure that "Failed processing 1 files" doesnt appear, and we've confirmed that the results report successful processing even though some permissions are not set according to the scripting.

The biggest point here is that it is NOT consistent.  It correctly sets all of the specified permissions most of the time, and every now and then we find folders that are missing specified permissions.  We've gone through the scripting very carefully, and cannot cause the issue to occur when stepping through.

Is anyone aware of an issue with ICACLS.exe that may account for this?
Is it possible that the script may be processing so quickly that ICACLS actually misses a few steps along the way?
Is it possible that the script may be processing so quickly that the server cannot keep up with the changes and drops a few steps?
(These last two questions are hard to believe they might be true, but we're grasping at straws here...)

We're aware the scripting could be re-written using PowerShell, but the learning curve could be prohibitively steep.  Is there an alternative command-line utility to ICACLS.exe that might be more reliable?

Any information or suggestions would be greatly appreciated.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dimarc67Author Commented:
Completed some more testing, and discovered that the ICACLS results DO report the processing failures.  They were so early in the script results that they were missed before now.

The error is the standard "No mapping between account names and security IDs was done."  

This may narrow the question considerably.  Immediately prior to setting the folder permissions with ICACLS.exe, the script creates the dedicated security groups to add to the ACLs (using DSADD).  

Is it possible that the new groups may sometimes not be propagating fast enough to be found by the ICACLS commands attempting to assign them to the ACLs??
Dimarc67Author Commented:
Using ERRORLVEL result codes, I've confirmed with a "DSGET | Find" combination command that the new groups are immediately available for reference in Active Directory after they are created with DSADD.

ICACLS.exe does not seem to support ERRORLEVEL result codes, so I'll have to determine a manual test after each command to determine if it was successful, and to retry if it's not.

Any additional information or suggestions would be greatly appreciated.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Dimarc67Author Commented:
No direct error handling solution for ICACLS.exe could be identified.

Several seemingly unrelated updates were made to the batch scripting:
--cleaning up the resultant output text by redirecting all ICACLS.exe, DSADD, and DSMOD command output to 'nul'.
--adding folder existance confirmation ("if not exist") and security group existance confirmation ("dsget | find" with errorlevel checking) sub-routines, jumping out of the script if they don't exist.
--formatting echo'ed output for successful and unsuccessful operations.

Subsequent testing of the script could not reproduce the previously experienced inconsistencies.  While there is no apparent indicators, it may be subjectively attributed to network, server, or storage activity loads at the time the script was run.  Only time will tell.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Office

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.