ACL Error when assigning AD Rights

Question

I have a powershell script that can create multiple Active Directory users in one run. My issue is assigning ACL rights to the home directory. It seems to always work if there is only one user to create. When there are multiple, however, any account after the first may fail or may work. It's a very intermittent issue, although they seem to fail more than work.

Here is the code generating the ACL's:

    Function CreateHomeDirectory{

$global:samAccountName = "myaccount"
$global:homeDirectory = "\\path\to\myaccount"

    New-Item -Path $global:homeDirectory -Type Directory -Force

            $Rights = [System.Security.AccessControl.FileSystemRights]::Read -bor [System.Security.AccessControl.FileSystemRights]::Write -bor [System.Security.AccessControl.FileSystemRights]::Modify -bor [System.Security.AccessControl.FileSystemRights]::FullControl
            $Inherit = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit -bor [System.Security.AccessControl.InheritanceFlags]::ObjectInherit
            $Propogation = [System.Security.AccessControl.PropagationFlags]::None
            $Access = [System.Security.AccessControl.AccessControlType]::Allow
            $AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($global:samAccountName,$Rights,$Inherit,$Propogation,$Access)
            $ACL = Get-Acl $global:homeDirectory
            $ACL.AddAccessRule($AccessRule)
            $Account = new-object system.security.principal.NTAccount($global:samAccountName)
            $ACL.setowner($Account)
            $ACL.SetAccessRule($AccessRule)
            Set-Acl $global:homeDirectory $ACL

            Return

Here are the errors I am currently getting. They seem to change up from time to time, but I'd say these are pretty consistant:

    Exception calling "AddAccessRule" with "1" argument(s): "Some or all identity references could not be translated."
At H:\Scripts\Create.ps1:274 char:10
+                $ACL.AddAccessRule($AccessRule)
+                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : IdentityNotMappedException

Exception calling "SetOwner" with "1" argument(s): "Some or all identity references could not be translated."
At H:\Scripts\Create.ps1:276 char:10
+                $ACL.setowner($Account)
+                ~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : IdentityNotMappedException

Exception calling "SetAccessRule" with "1" argument(s): "Some or all identity references could not be translated."
At H:\Scripts\Create.ps1:277 char:10
+                $ACL.SetAccessRule($AccessRule)
+                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : IdentityNotMappedException

Spent hours on this and have gotten nowhere. Any suggestions would be appreciated.

Answer 1

According to the error "Some or all identity references could not be translated.", it looks like the user with such still not exist in the Directory (or in the Directory the computer is connected to) when you try to use it.

I would try to first look for the user in the directory before trying to use it. Check the value of $Account before using it.