During the synchronization or migration of AD object from source to target, is it possible to skip the processing of security descriptor SACLs (System Access Control List), yet allow DACLS (Discretionary Access Control List) be added or merged?
To skip the processing of SACLs during security descriptor processing please follow the below instructions:
1. Stop all directory synchronization agents (DSA).
2. In Regedit open this registry key on all DSA agent computers and perform the modifications listed on each agent computer:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AeDSACtrl_SERVER_NAME\Config
And / change values for these settings:
SDFlagsModify=0x7
SDFlagsSearch=0x7
** IMPORTANT: Start DSAs with the full-resync option.**
© ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center