0

我有一个 powershell 脚本,可以在一次运行中创建多个 Active Directory 用户。我的问题是将 ACL 权限分配给主目录。如果只有一个用户要创建,它似乎总是有效。但是,当有多个帐户时,第一个帐户之后的任何帐户都可能失败或可能工作。这是一个非常间歇性的问题,尽管它们似乎比工作失败更多。

下面是生成 ACL 的代码:

    Function CreateHomeDirectory{

$global:samAccountName = "myaccount"
$global:homeDirectory = "\\path\to\myaccount"

    New-Item -Path $global:homeDirectory -Type Directory -Force

            $Rights = [System.Security.AccessControl.FileSystemRights]::Read -bor [System.Security.AccessControl.FileSystemRights]::Write -bor [System.Security.AccessControl.FileSystemRights]::Modify -bor [System.Security.AccessControl.FileSystemRights]::FullControl
            $Inherit = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit -bor [System.Security.AccessControl.InheritanceFlags]::ObjectInherit
            $Propogation = [System.Security.AccessControl.PropagationFlags]::None
            $Access = [System.Security.AccessControl.AccessControlType]::Allow
            $AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($global:samAccountName,$Rights,$Inherit,$Propogation,$Access)
            $ACL = Get-Acl $global:homeDirectory
            $ACL.AddAccessRule($AccessRule)
            $Account = new-object system.security.principal.NTAccount($global:samAccountName)
            $ACL.setowner($Account)
            $ACL.SetAccessRule($AccessRule)
            Set-Acl $global:homeDirectory $ACL

            Return

这是我目前遇到的错误。它们似乎不时改变,但我想说这些是相当一致的:

    Exception calling "AddAccessRule" with "1" argument(s): "Some or all identity references could not be translated."
At H:\Scripts\Create.ps1:274 char:10
+                $ACL.AddAccessRule($AccessRule)
+                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : IdentityNotMappedException

Exception calling "SetOwner" with "1" argument(s): "Some or all identity references could not be translated."
At H:\Scripts\Create.ps1:276 char:10
+                $ACL.setowner($Account)
+                ~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : IdentityNotMappedException

Exception calling "SetAccessRule" with "1" argument(s): "Some or all identity references could not be translated."
At H:\Scripts\Create.ps1:277 char:10
+                $ACL.SetAccessRule($AccessRule)
+                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : IdentityNotMappedException

在这上面花了几个小时,却一无所获。任何建议,将不胜感激。

4

1 回答 1

0

根据错误“无法翻译部分或全部身份引用。”,当您尝试使用它时,看起来目录中(或计算机连接到的目录中)仍然不存在该用户。

在尝试使用它之前,我会尝试先在目录中查找用户。$Account在使用它之前检查它的值。

于 2013-09-03T06:29:32.753 回答