During synchronization or migration session the Security Descriptor migration rule is set to Merge or Replace. New objects are created without error, but when merging users or running a full resynchronization, there are many failed objects with an error similar to the following in dsa.log:
11/27/2009 11:06:37 AM (GMT+01:00) Target JobID:0 -> object was not modified due to error
11/27/2009 11:06:37 AM (GMT+01:00) Common JobID:0 -> Error 0xe1000040. Per attribute apply failed for object <GUID=E4FBD0AF3205EA4885B4B2F805E4CEB9>
Error 0xe1000041. Apply of attribute nTSecurityDescriptor with value(s) = [long hex string] failed.
LDAP error 0x32. Insufficient Rights (00000005: SecErr: DSID-03151E04, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0).
You need to be signed in and under a current maintenance contract to view premium knowledge articles.