PowerShell: Script failing because AD objects have not replicated soon enough

Question

I have a script that creates two groups, a hand full of folders, and sets permissions on those folders. In my testing environment all of these processes work without issue b

Answer 1

Set the permission on the SID of the new group instead of it's name/samaccountname.

Answer 2

I decided to use a while loop to check for the group replication.

#Wait for group replication
while ($Admin_GRP_CHK -ne 'group')
{$Admin_GRP_CHK = (Get-ADGroup $Admin_GRP).ObjectClass
trap {'Admin group not replicated yet. Waiting 10 seconds.' -f $_.Exception.Message;    continue}
Start-Sleep -Seconds 10
}
Write-Host 'Admin group exists'

Answer 3

In the past, when writing shell scripts, I've called NLTEST.EXE to point the current PC/server at a specific DC (I normally choose the PDC emulator). I can't remember which switch I used. Not sure if this will help.

Answer 4

I had the exact same issue. It turns out, our filesystem only updated it's own cache of SIDs every 20 - 30 seconds. So if I created a new SID and tried to apply it to a folder straight away, our filesystem would say the SID was unknown. I modified a setting on our filesystem to allow it to accept 'unknown' SIDs (even though they were known to AD and it just hadn't updated). More info here:

Issues With New-ADGroup, Set-ACL and Network Folders

Sleeping the script is definitely not an option when you have 7.5 million files and folders!