I am struggling with strange issue and I wonder if some one can help me please. At some point of my program I like to add security groups with appropriate permissions to folder. Steps look like that.
- Create Folder
- Create Domain Local Security Group
- Create Global Security group
- Add Global Group to local group
- Add Domain Local security group to folder "\domain\dfs\folder"
I got below piece of code to do this from Microsoft page
public static void AddDirectorySecurity(string DirectoryName, string Group, FileSystemRights Rights, InheritanceFlags iFlag, PropagationFlags pFlag, AccessControlType ControlType)
{
// Create a new DirectoryInfo object.
DirectoryInfo dInfo = new DirectoryInfo(DirectoryName);
// Get a DirectorySecurity object that represents the
// current security settings.
DirectorySecurity dSecurity = dInfo.GetAccessControl();
// Add the FileSystemAccessRule to the security settings.
dSecurity.AddAccessRule(new FileSystemAccessRule(Group,Rights,iFlag,pFlag,ControlType));
// Set the new access settings.
dInfo.SetAccessControl(dSecurity); //
}
procedure of adding looks like that:
path = @"\\domain\dfs\folder"
gRDL_RW = "RDL-group-RW"
AddDirectorySecurity(path, gRDL_RW, FileSystemRights.Modify, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.None, AccessControlType.Allow);
It is working fine in my test environment but when I like to run it in production environment I am getting error:
************** Exception Text **************
System.Security.Principal.IdentityNotMappedException: Some or all identity references could not be translated.
at System.Security.Principal.NTAccount.Translate(IdentityReferenceCollection sourceAccounts, Type targetType, Boolean forceSuccess)
at System.Security.Principal.NTAccount.Translate(Type targetType)
at System.Security.AccessControl.CommonObjectSecurity.ModifyAccess(AccessControlModification modification, AccessRule rule, Boolean& modified)
at System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(AccessRule rule)
at Program_dev_1.Form1.button1_Click(Object sender, EventArgs e) in c:\Users\?????????\Documents\Visual Studio 2012\Projects\brite_dev_1\brite_dev_1\Form1.cs:line 191
at System.Windows.Forms.Button.OnMouseUp(MouseEventArgs mevent)
at System.Windows.Forms.Control.WmMouseUp(Message& m, MouseButtons button, Int32 clicks)
at System.Windows.Forms.Control.WndProc(Message& m)
at System.Windows.Forms.ButtonBase.WndProc(Message& m)
at System.Windows.Forms.Button.WndProc(Message& m)
at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)
Is it a problem with "Admin rights"? I have God like permissions in production environment. So what is going on?
I have feeling that for some reason all those user friendly names such as "FileSystemRights.Modify" can not be translated. I check locale on test and prod environment and both are this same.
Is it possible to use raw numbers that are hiding behind those user friendly names?
Maybe there is a other way to add security groups to folder? All I really like to have is a working solution.
Application was crushing when groups were tried to be add to folder because newly created groups were not know to all domain controllers immediately. I had to create procedure that check if newly create groups have been synchronized across whole estate before progressing with the rest of the code. It is not possible or I could not find a method of specifying domain controller used when adding groups to folder permission.