Are you using the SID directly? (E.g. by getting the current ACL, then calling ConvertSecurityDescriptorToStringSecurityDescriptor (yes, that is actually an API function), then appending the SDDL string for the new ACE (which will use the SID, not the user's name) to the string, converting the new string back to a security descriptor, and setting it onto the directory.)
I can see the user's name not resolving to their SID for 15 minutes if you have two DCs, because the user-creation process might be talking to a different DC than the username-resolving process, and the DCs would need to replicate the new user. But the SID should be valid at any time (and actually *any* SID should be valid at any time, whether a user exists for it or not).
OTOH, if this is web-based, you may not have access to the "raw" SDDL/ACL functions; that would be a reason you may not be doing this. :-) |
