PowerShell folder permission error - Some or all identity references could not be translated.

Question

I have read many posts about this, but I still can\'t get it. I am running this script as Admin and It does create the folders requred, just does not set the appropriate per

Answer 1

Adding this in case any C#/ASP.NET developers get this (which is my scenario, and I found this post).

I am using .NET Core in a corporate environment, and I need to check UserGroups as part of security. The code is like (where "user" is a ClaimsPrincipal):

var windowsIdentity = user.Identity as WindowsIdentity;
if( windowsIdentity is null )
    throw new Exception( $"Invalid Windows Identity {user.Identity.Name}" );
return windowsIdentity.Groups
    .Select( g => g.Translate( typeof( NTAccount ) ).Value );

Anyway, someone in charge of groups deleted a group I was part of, and the AD replication lag caused me to get the error in the title. A logoff and/or reboot worked just fine.

Answer 2

For me it was a case of where i verified whether the script execution knew the password by using $user = Get-Credential "username". i had to turn my $user into $user.UserName To give the script parameters the value they were expecting

Answer 3

The error is pretty self explanatory: Some or all identity references could not be translated.

This means the account couldn't be found. So what you have to do is verify your accounts. Since you're adding 4 ACE's, you'll need to identify which is invalid.

The easiest way to do this is to debug through, line by line using the ISE or PowerGUI.

I tried your code with "NT AUTHORITY\SYSTEM" and "BUILTIN\Administrators" and it works so the issue is with "O1OAK\$user" or "1OAK\$user". You likely have an invalid account in your text file.

Answer 4

a gotch with the user ID is that AD truncates the username, so a user with a long name "j_reallylongname" will have a samid (Security Account Manager (SAM) account name) which is truncated. (j_reallylong)

so when fetching usernames, make sure you verify against the AD before using it.

When i've got the upns, so i run a dsget query to get the samid then use that to build the identity reference.