Add User home folder using another account

Question

Hi, I'm new to this forum so I hope this question hasn't already been answered.

The sceanrio is that the Adaxes servert is part of domain A and is used to manage other domains. There's no problem accessing the AD's and create/modify objects. The problem occurs when I try to create a user using business rules and in that rule create a home folder for that user. It seems that Adaxes is then using the service account that runs the Adaxes service and not the specified logon account for the target domain? Is there any way to specify which account that it should use during the business rule run?

I saw one thing that might work, that is to run a PS script (where you can specify runas account) instead but I can't manage to get that to work,. See script below. It gives me this error:
"Exception calling "AddAccessRule" with "1" argument(s): "Some or all identity references could not be translated.""

Any help is much appreciated!

#Create Users homefolder
$homeFolder = "\\fileserver\Users"
$userHome = "$homeFolder\%username%"

New-Item "$userHome" -type Directory

$acl = Get-Acl $userHome

#Add full control user permissions
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("%username%","FullControl","ContainerInherit, ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)

#Commit Changes
Set-Acl $userHome $acl

Comments

Anyone that has a solution to this problem? :|

---

Hello Niclas,

To troubleshoot the issue, we need some information from you. First of all, when you try creating home folders with the help of the built-in action, what is the result? Does the home folder get created, but appropriate permissions are not assigned, or the home folder is not created at all?

Also, what version of Adaxes (including the build number) are you using?

---

Due to the fact that the Adaxes server isn't in the same domain and the builtin "Create Home folder" function seem to use the serviceaccount of the adaxes service it never gets created due to access denied.
If I instead use a PS script (the one below) and let that run as an account in the target domain I get the error "Exception calling "AddAccessRule" with "1" argument(s): "Some or all identity references could not be translated."
I also tried to do a Remote PS Session from the Adaxes server to the target fileserver and also get the same error. So maybe some changes is needed in the target server to let the Adaxes server do remote scripting?

Adaxes server is 2013.1

Answer 1

Hello Niclas,

Adaxes server is 2013.1

In Adaxes 2013.1, indeed, the account of Adaxes default service administrator (the user that you specified during Adaxes installation) was used to create home folders using the built-in Business Rule action, however this behavior was changed in Update 1 to Adaxes 2014.1. Starting from that version, if Adaxes cannot create a home folder using the account of Adaxes default service administrator, Adaxes uses the logon account for the target user's domain. Thus, to resolve the issue, you simply need to upgrade to the latest version. You can get the latest release here.

Upgrade Instructions.

For a complete list of new features and improvements in Adaxes 2014.1, see What's New.

Comments

Ah.. Nice. I'll try to do an upgrade asap. Thanks for the info.

---

I've taking over this installation from another admin which ofcourse didn't write down the config for the service account used by Adaxes. Is there any way to change service account?

---

.. or is it OK to reset the password in AD and just change the service logon password and restart the service?

---

Solved by resetting password. Got the answer from Adaxes support team.