将安全组添加到文件夹问题/ System.Security.Principal.IdentityNotMappedException：

Question

I am struggling with strange issue and I wonder if some one can help me please. At some point of my program I like to add security groups with appropriate permissions to folder. Steps look like that.

1. Create Folder
2. Create Domain Local Security Group
3. Create Global Security group
4. Add Global Group to local group
5. Add Domain Local security group to folder "\\domain\\dfs\\folder"

I got below piece of code to do this from Microsoft page

 public static void AddDirectorySecurity(string DirectoryName, string Group, FileSystemRights Rights, InheritanceFlags iFlag, PropagationFlags pFlag, AccessControlType ControlType)
{
    // Create a new DirectoryInfo object.
    DirectoryInfo dInfo = new DirectoryInfo(DirectoryName);

    // Get a DirectorySecurity object that represents the  
    // current security settings.
    DirectorySecurity dSecurity = dInfo.GetAccessControl();

    // Add the FileSystemAccessRule to the security settings. 
    dSecurity.AddAccessRule(new FileSystemAccessRule(Group,Rights,iFlag,pFlag,ControlType));

    // Set the new access settings.
    dInfo.SetAccessControl(dSecurity); // 

}

procedure of adding looks like that:

path = @"\\domain\dfs\folder"

gRDL_RW = "RDL-group-RW"

    AddDirectorySecurity(path, gRDL_RW, FileSystemRights.Modify, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.None, AccessControlType.Allow);

It is working fine in my test environment but when I like to run it in production environment I am getting error:

************** Exception Text **************
System.Security.Principal.IdentityNotMappedException: Some or all identity references could not be translated.
at System.Security.Principal.NTAccount.Translate(IdentityReferenceCollection sourceAccounts, Type targetType, Boolean forceSuccess)
at System.Security.Principal.NTAccount.Translate(Type targetType)
at System.Security.AccessControl.CommonObjectSecurity.ModifyAccess(AccessControlModification modification, AccessRule rule, Boolean& modified)
at System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(AccessRule rule)
at Program_dev_1.Form1.button1_Click(Object sender, EventArgs e) in  c:\Users\?????????\Documents\Visual Studio 2012\Projects\brite_dev_1\brite_dev_1\Form1.cs:line 191
at System.Windows.Forms.Button.OnMouseUp(MouseEventArgs mevent)
at System.Windows.Forms.Control.WmMouseUp(Message& m, MouseButtons button, Int32 clicks)
at System.Windows.Forms.Control.WndProc(Message& m)
at System.Windows.Forms.ButtonBase.WndProc(Message& m)
at System.Windows.Forms.Button.WndProc(Message& m)
at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)

Is it a problem with "Admin rights"? I have God like permissions in production environment. So what is going on?

I have feeling that for some reason all those user friendly names such as "FileSystemRights.Modify" can not be translated. I check locale on test and prod environment and both are this same.

Is it possible to use raw numbers that are hiding behind those user friendly names?

Maybe there is a other way to add security groups to folder? All I really like to have is a working solution.

Answer 1

Application was crushing when groups were tried to be add to folder because newly created groups were not know to all domain controllers immediately. I had to create procedure that check if newly create groups have been synchronized across whole estate before progressing with the rest of the code. It is not possible or I could not find a method of specifying domain controller used when adding groups to folder permission.