Discussion:
Remote folder permission for brand new user - XCACLS.VBS
(too old to reply)
Gert Conradie
2007-03-19 14:08:06 UTC
Permalink
Hi

We have a script that creates a brand new user in AD and then create a
physical profile path folder. We then set permissions on the new
folder with XCACLS.VBS from our script.

We are a national company that have different regions with own DC's
etc.

When the script run in our main office ie the profile paths is close &
on same DC, then all well.

When I run the script for a region with own DC, then fail. (The folder
are created but the user permissions is not set) When I do this for a
user that was created previously (20 minutes for example) then this
would work and the user permission would be fine.

Seems that the remote DC dont know about the user yet and therefor
fail and it would anly work after the standard "sink" period. Any
advice?

Thanks, Gert
Ian Pitre
2010-12-15 21:08:15 UTC
Permalink
I'm having the same problem. We have 8 DCs, creating user, then profile folder, trying to run xcacls cannot resolve the user, even when providing the SID. Within minutes it can resolve the user.

Any advice?

I'm at the point that I'm looking into xcacl.vbs itself to extract the part that resolves the user so that I can include the same code inside a loop within my script that loops until it resolves the user then it proceeds with xcacls. I hate/love scripting.
Post by Gert Conradie
Hi
We have a script that creates a brand new user in AD and then create a
physical profile path folder. We then set permissions on the new
folder with XCACLS.VBS from our script.
We are a national company that have different regions with own DC's
etc.
When the script run in our main office ie the profile paths is close &
on same DC, then all well.
When I run the script for a region with own DC, then fail. (The folder
are created but the user permissions is not set) When I do this for a
user that was created previously (20 minutes for example) then this
would work and the user permission would be fine.
Seems that the remote DC dont know about the user yet and therefor
fail and it would anly work after the standard "sink" period. Any
advice?
Thanks, Gert
Submitted via EggHeadCafe
ASP.NET - Zip Selected Files and Add Files in Memory with DotNetZip
http://www.eggheadcafe.com/tutorials/aspnet/fd2b3765-624b-47ea-a461-bf3ad6dcbf7b/aspnet--zip-selected-files-and-add-files-in-memory-with-dotnetzip.aspx
Al Dunbar
2010-12-17 00:13:49 UTC
Permalink
When you create a user, you create it on one of the DC's, presumably not the
one that determines the identity of the user for xcacls. The record
eventually shows up on the other DC's through replication. This is simply
how active directory works.

If you do not want to have to wait for this replication, I'd suggest you
find a way to ensure that all of your activities are governed by the same
DC.


/Al
Post by Ian Pitre
I'm having the same problem. We have 8 DCs, creating user, then profile
folder, trying to run xcacls cannot resolve the user, even when providing
the SID. Within minutes it can resolve the user.
Any advice?
I'm at the point that I'm looking into xcacl.vbs itself to extract the
part that resolves the user so that I can include the same code inside a
loop within my script that loops until it resolves the user then it
proceeds with xcacls. I hate/love scripting.
Post by Gert Conradie
Hi
We have a script that creates a brand new user in AD and then create a
physical profile path folder. We then set permissions on the new
folder with XCACLS.VBS from our script.
We are a national company that have different regions with own DC's
etc.
When the script run in our main office ie the profile paths is close &
on same DC, then all well.
When I run the script for a region with own DC, then fail. (The folder
are created but the user permissions is not set) When I do this for a
user that was created previously (20 minutes for example) then this
would work and the user permission would be fine.
Seems that the remote DC dont know about the user yet and therefor
fail and it would anly work after the standard "sink" period. Any
advice?
Thanks, Gert
Submitted via EggHeadCafe
ASP.NET - Zip Selected Files and Add Files in Memory with DotNetZip
http://www.eggheadcafe.com/tutorials/aspnet/fd2b3765-624b-47ea-a461-bf3ad6dcbf7b/aspnet--zip-selected-files-and-add-files-in-memory-with-dotnetzip.aspx
Loading...