When using a Script policy, it is possible that, by the time when the onPostCreate script is triggered, not all of the events started in previous stages have been completed. Because of this, some of the values needed for variables in the script started onPostCreate are not yet available, causing it to fail.
This is due to the way that Active Roles is configured by default which might not work in all scenarios. When setting script policies, it is possible to set the following two settings to control that:
Handle changes from DirSync control - Default value is FALSE (checkbox is unchecked).
Select this check box if you want the policy to run the script upon DirSync notifications about data changes in Active Directory. Otherwise, the policy will be unaware of the changes made to Active Directory data by administrative tools other than ActiveRoles Server.
The DirSync control is used to poll Active Directory about data changes, and return these changes to ActiveRoles Server. After capturing changes made in Active Directory, ActiveRoles Server can run the policy script to process the changes as needed.
Note that only post-event handlers, such as onPostCreate or onPostModify, receive control upon DirSync notifications. For example, suppose the policy script defines both the onPreCreate and onPostCreate handlers and affects a certain OU. This option ensures that the onPostCreate handler runs after a user account is created in that OU even if the creation request bypasses ActiveRoles Server. On the contrary, the onPreCreate handler runs only when ActiveRoles Server is requested to create a user account.
Wait while post-event handlers complete operation - Default value is TRUE (checkbox is checked).
Select this check for the policy not to be considered complete until all the post-event handler functions found in the script has finished. It is advisable to select this option if two or more policies are expected to run in succession. This option ensures that a subsequent policy starts not earlier than the processing of the previous policy finishes, thereby preventing policy conflicts.
For the majority of cases, the default settings will work. But in this case and scenario, checking "Handle changes from DirSync control" and unchecking "Wait while post-event handlers complete operation".
In the case where it's specific to home folder creation, ActiveRoles Server is unable to determine when Active Directory has actually complete the creation process with all permissions and such. For this, an Enhancemnt Request has been filed under TF00430250.