Specify DC for "CreatePermission" ?

[PreviousPoster]

Hi guys!

I am facing the following problem:
I have an environment with several domain controllers (DCs).
The task is to use only one specific DC for all GPO related stuff.
Thus I create some groups via LDAP on a specific DC.
I use GPMC scripting interface to create a new GPO on the same DC. This can be done by specifying the server name in the GPMDomain object. However, when I try to set the new groups on the new GPO with some permissions, the method "CreatePermission" fails with error code -2147023564. This is likely because the groups are not replicated so far to the DC my user used to logon. GPMC seems to use the LOGON DC for the method "GPM.CreatePermission". And I can't find any way to tell the Interface to use another DC for that.
Does anybody know a solution for that?

I cannot understand why "CreateGPO" is based on GPMDomain object (where I can specifiy a DC) and "CreatePermission" is based on the root object GPM (where there is no possibilty to specify a domain).

I tried performing "GetDomain" providing domain name and domain controller name directly before calling "CreatePermission", but this does not help. I miss a "SetDomain" function or something like this...

By the way: My code works fine in my test environment where there is only 1 DC. Therefore the code itself can be considered as OK.

Thanks for any help!

[gpoguy]

Maybe I'm missing something here but once you create the GP Permission object, you have to apply it to a GPO using the GPMGPO SetSecurityInfo method. In order to get the reference to the GPO in the first place, you would have had to have called GetGPO on the GPMDomain object, which lets you specify a perm. So, I guess I'm missing where you are not able to specify a DC in this operation? Can you post your code as this may help.

[PreviousPoster]

Thank you for your reply.
You are are right that the Permission object will be added to the security info of the GPO and then applied via SetSecurityInfo method. And yes, when creating or getting a GPO, there is control about the used DC.

The point is, it is not possible to create the permission object (which is at first not related to the GPO).
It fails when the specified trusteed is not found (im my case this is as it is not yet available on the DC the method is using).

For my understanding createpermission method creates a unreferenced GPO permission which will later be added to a GPO.
But it seems as if the specified trustee is verified (thats's OK in general), but it uses an arbitrary Domain Contoller. I don't see to have a possibility to control the selected DC for that "trustee verification".

That "trustee verification behaviour" can be easily tested using an account that does really not exist:
_______________________________________
on error resume next
Set g_objGPM = CreateObject("GPMgmt.GPM")
Set g_objGPMConstants = g_objGPM.GetConstants()

Dim objGPMPermission: Set objGPMPermission = Nothing
Set objGPMPermission = g_objGPM.CreatePermission("emea\notexistaccount",g _objGPMConstants.PermGPORead, False) ' create a new (yet unreferenced) GPO permission
if err.number<>0 then wscript.echo err.description
If objGPMPermission Is Nothing Then
wscript.echo "Failed creating the permission object"
end if
'...
_______________________________________


Maybe there is another approach setting GPO permissions?

[JerryC]

Instead of doing something fancy (like queryiong in the code for the existance of a group that's newly created on all DC's and then allowing the code to proceed), we usually just add a short delay into the script after creation of group objects (basically we add 10 minutes to allow replicatin to DCs in all local sites). Perhaps you wouldn't consider 10 minutes to be "short", but it does tend to work in almost all cases we've encountered

[PreviousPoster]

I just would like to share my final solution with you:
As querying all the DCs did not help either, I ended up with querying the Global Catalog. So this is only one query in a loop,
waiting for the new group to be replicated to the GC. The idea of querying the GC is described by Microsoft here:
http://support.microsoft.com/kb/252490/en-us

Thanks for all taking part in my issue...