-
Title
Error 0xe1000041. Apply of attribute nTSecurityDescriptor failed -
Description
During synchronization or migration session the Security Descriptor migration rule is set to Merge or Replace. New objects are created without error, but when merging users or running a full resynchronization, there are many failed objects with an error similar to the following in dsa.log:
11/27/2009 11:06:37 AM (GMT+01:00) Target JobID:0 -> object was not modified due to error
11/27/2009 11:06:37 AM (GMT+01:00) Common JobID:0 -> Error 0xe1000040. Per attribute apply failed for object <GUID=E4FBD0AF3205EA4885B4B2F805E4CEB9>
Error 0xe1000041. Apply of attribute nTSecurityDescriptor with value(s) = [long hex string] failed.
LDAP error 0x32. Insufficient Rights (00000005: SecErr: DSID-03151E04, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0). -
Cause
The security descriptor for a securable object can contain two types of ACLs: a DACL and a SACL. When merging two security descriptors, Directory Synchronization Agent will read both, combine the permissions and write the entire security descriptor back to the target object. Permissions on the object itself are enough to write the DACL, but writing the SACL requires administrative permission on the domain controller.
-
Resolution
Make sure that the service account used for the target domain is a member of Builtin\Admnistrators group on the target domain controller. This group, or, preferably, the service account itself must have the following privileges on the domain controller: SeBackupPrivilege, SeRestorePrivilege and SeSystemSecurityPrivilege. These can be assigned by managing Local Domain Controller Security policy and adding the service account into the following User Rights: Manage auditing and security log , Backup files and directories and Restore Files and Directories.
If changing the administrative rights on the target domain is not possible, security descriptor migration rule needs to be set to "Skip" -
Additional Information
It is also possible to partially skip the security descriptor, synchronizing only the DACL and leaving out the SACL. Keeping the security descriptor migration rule on "Merge" or "Replace", do the following:
To skip the processing of SACLs during security descriptor processing:
1. Stop all directory synchronization agents (DSA).
2. In Regedit open this registry key on all DSA agent computers and perform the modifications listed on each agent computer:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AeDSACtrl_SERVER_NAME\Config
And or change values for these settings:
SDFlagsModify=0x7
SDFlagsSearch=0x7
3. IMPORTANT: Start DSAs with the full-resync option.