Link to home
Start Free TrialLog in
Avatar of citpaj
citpajFlag for Canada

asked on

ICACLS "No mapping between account names and security IDs was done"

I've been using ICACLS for a number of years, without problems.  When I use it to add  / change / remove permissions for one particular Domain security group, the command returns the following:
 
ICACLS "No mapping between account names and security IDs was done"

All other domain and local security groups and user account are fine, using the same syntax of domain name\<group name>.

Note that I checked that the group contains no deleted user accounts, which might (possibly) cause a SID mapping issue.

When I use the GUI to make the permissions changes for that group everything works just fine.

Is there a solution anyone can offer?

Thanks.

Paul.
Avatar of Shaun Vermaak
Shaun Vermaak
Flag of Australia image

Just a suggestion...

I would use SetACL because you can alter permissions, even when SIDs cannot be resolved
https://helgeklein.com/setacl/
Avatar of citpaj

ASKER

Thanks Shaun.  Just for giggles I tried it and I get a similar message "SetACL error message: The SID for a trustee could not be found."

I appreciate this was just a suggestion, and thanks for that, but (although SetACL is free) I don't like building administrative scripts around utilities that may become no longer supported.  Sorry.

Paul.
Possibly a deleted account or group.

If you create a user, it has an associated SID. This SID is part of each ACL placed on an object in the file system. If a user is deleted, then the SID remains in the ACL,  Explorer or a command line tool can only see this, since it no longer relates to a user. It looks like this:

User generated image
When you are specifying the name of the group in ICacls, what name are you providing ?  The name of any user or group must use the Pre-Windows 2000 name (SamAccountName) value, and not the AD directory name, or any other name, as these utilities have nothing to do with using Active Directory functions.

You can also get this error if the domain cannot be resolved locally by the computer, ie if you were to just make up a domain name, or use a made up user name in the command, you will get the same error.
Could it be you have a group name with blanks in it? If so, enclose the name in ""
ASKER CERTIFIED SOLUTION
Avatar of Shaun Vermaak
Shaun Vermaak
Flag of Australia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of citpaj

ASKER

Shaun.

This did indeed turn out to be the best solution.  I tried Powershell and WMIC.  I tried ICACLS and CACLS, and then some.  All had difficulty translating the user ID to it's SID.  SetACL had no difficulty after I looked the SID up manually and used the SID in the command.  Thanks.

Paul.
You still need to determine why this happened, as you were either entering an invalid name/format to these utilities (and they were unable to lookup the SID from the name), or the domain/name is not resolvable by the client.  Entering the SID directly can get around the name resolution issues, but when you then look at the resulting security descriptor on a client, it in turn has to do the opposite and lookup the name that goes with the SID.  

Most likely, the name you were entering for the utilities was not formatted correctly, but without the actual example of what was being entered, there isn't any way for a true solution to this problem.
Avatar of citpaj

ASKER

Kevin.

I'm more than happy to share the ICACLS example I was using, if it will help shed some light.  I like to stick to the Microsoft utilities where possible.  The syntax I was using (running on a Domain member server under a Domain Admin account, using run-as Administrator:

icacls D:\TR\Admin /grant "ourdomain.corp\IT Integration Solutions_GS":R /t

I can use the same syntax for any other security group in our Domain, and on any other workstation or server (domain members)  and it works.

Paul.
One thing that caught my eye are the spaces in the name of the group, and the length being > 20 characters.  I created a group with the same name on a local system and once I enclosed the group name in quotes, it worked.  But there are multiple versions of ICacls too.

If you look at the group in ADUC, make sure your SamAccountName (Pre Windows 2000 name) matches this name.  If it does, and there are not any spellings, then about the only thing it could be would be the length being an issue with the version of ICacls you have.
Avatar of citpaj

ASKER

Kevin.

I checked sAMAccountName, and it is same as this name (IT Integrated Solutions_GS).

I also tried using ICACLS with a longer Domain group name, complete with spaces, and it worked fine.

I tested SUBINACL with the 'faulty' group name and it returned a similar error to ICACLS.  I substituted the group name with it's SID, and SUBINACL worked fine.

So I've two solutions for now, using the SID: SetACL and SUBINACL.

That will be enough for me to complete this task.

Thanks.
Paul.
Good enough.  Wierd.