windows PowerShell 文件夹权限错误 - 无法转换部分或全部身份引用。
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/11440115/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
PowerShell folder permission error - Some or all identity references could not be translated.
提问by Siriss
I have read many posts about this, but I still can't get it. I am running this script as Admin and It does create the folders requred, just does not set the appropriate permissions. Any help would be appreciated. Thank you!
我已经阅读了很多关于这个的帖子,但我仍然无法理解。我以管理员身份运行此脚本,它确实创建了所需的文件夹,只是没有设置适当的权限。任何帮助,将不胜感激。谢谢!
$Users = Get-Content "D:\New_Users.txt"
ForEach ($user in $users)
{
$newPath = Join-Path "F:\Users" -childpath $user
New-Item $newPath -type directory
$UserObj = New-Object System.Security.Principal.NTAccount("DOMAIN",$user)
$acl = Get-Acl $newpath
$acl.SetAccessRuleProtection($True, $False)
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("O1OAK$user","AppendData,CreateDirectories,CreateFiles,DeleteSubdirectoriesAndFiles,ExecuteFile,ListDirectory,Modify,Read,ReadAndExecute,ReadAttributes,ReadData,ReadExtendedAttributes,ReadPermissions,Synchronize,Traverse,Write,WriteAttributes,WriteData,WriteExtendedAttributes","ContainerInherit, ObjectInherit","None","Allow")
$acl.SetAccessRule($accessRule)
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("NT AUTHORITY\SYSTEM","FullControl","ContainerInherit, ObjectInherit","None","Allow")
$acl.SetAccessRule($accessRule)
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("BUILTIN\Administrators","FullControl","ContainerInherit, ObjectInherit","None","Allow")
$acl.SetAccessRule($accessRule)
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("1OAK$user","Delete","ContainerInherit, ObjectInherit","None","Allow")
$acl.removeAccessRule($accessRule)
$acl.SetOwner($UserObj)
$acl | Set-Acl $newpath
}
The first error in a string of 3 that I get is below. I think it is the most important and will fix the other 2.
我得到的 3 个字符串中的第一个错误如下。我认为这是最重要的,并将修复其他 2 个。
Exception calling "SetAccessRule" with "1" argument(s): "Some or all identity references could not be translated."
At D:\DOMAIN\IT\IT Private\User Drives\user_folders.ps1:12 char:20
+ $acl.SetAccessRule <<<< ($accessRule)
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : DotNetMethodException
I hope this is not a duplicate and I am sorry if it is, I have been reading for hours. Thank you!
我希望这不是重复的,如果是,我很抱歉,我已经阅读了几个小时。谢谢!
回答by Andy Arismendi
The error is pretty self explanatory: Some or all identity references could not be translated.
该错误是不言自明的: Some or all identity references could not be translated.
This means the account couldn't be found. So what you have to do is verify your accounts. Since you're adding 4 ACE's, you'll need to identify which is invalid.
这意味着无法找到该帐户。因此,您要做的就是验证您的帐户。由于您要添加 4 个 ACE,因此您需要确定哪个无效。
The easiest way to do this is to debug through, line by line using the ISE or PowerGUI.
最简单的方法是使用 ISE 或 PowerGUI 逐行调试。
I tried your code with "NT AUTHORITY\SYSTEM" and "BUILTIN\Administrators" and it works so the issue is with "O1OAK\$user"or "1OAK\$user". You likely have an invalid account in your text file.
我用“NT AUTHORITY\SYSTEM”和“BUILTIN\Administrators”尝试了你的代码,它工作正常,所以问题出在"O1OAK\$user"或"1OAK\$user"。您的文本文件中可能有一个无效的帐户。
回答by flow in
a gotch with the user ID is that AD truncates the username, so a user with a long name "j_reallylongname" will have a samid (Security Account Manager (SAM) account name) which is truncated. (j_reallylong)
用户 ID 的一个问题是 AD 截断了用户名,因此具有长名称“j_reallylongname”的用户将具有被截断的 samid(安全帐户管理器 (SAM) 帐户名)。(j_reallylong)
so when fetching usernames, make sure you verify against the AD before using it.
因此,在获取用户名时,请确保在使用之前针对 AD 进行验证。
When i've got the upns, so i run a dsget query to get the samid then use that to build the identity reference.
当我获得 upns 后,我运行 dsget 查询来获取 samid,然后使用它来构建身份引用。
回答by emery.noel
Adding this in case any C#/ASP.NET developers get this (which is my scenario, and I found this post).
添加这个以防任何 C#/ASP.NET 开发人员得到这个(这是我的场景,我找到了这篇文章)。
I am using .NET Core in a corporate environment, and I need to check UserGroups as part of security. The code is like (where "user" is a ClaimsPrincipal):
我在公司环境中使用 .NET Core,我需要检查 UserGroups 作为安全性的一部分。代码就像(其中“用户”是一个ClaimsPrincipal):
var windowsIdentity = user.Identity as WindowsIdentity;
if( windowsIdentity is null )
throw new Exception( $"Invalid Windows Identity {user.Identity.Name}" );
return windowsIdentity.Groups
.Select( g => g.Translate( typeof( NTAccount ) ).Value );
Anyway, someone in charge of groups deleted a group I was part of, and the AD replication lag caused me to get the error in the title. A logoff and/or reboot worked just fine.
无论如何,负责组的人删除了我所属的组,AD复制延迟导致我在标题中出现错误。注销和/或重新启动工作得很好。
回答by Dbl
For me it was a case of where i verified whether the script execution knew the password by using $user = Get-Credential "username". i had to turn my $userinto $user.UserNameTo give the script parameters the value they were expecting
对我来说,这是我验证脚本执行是否通过使用$user = Get-Credential "username". 我不得不把我的$user变成$user.UserName给脚本参数他们期望的值
