Return
-
Title
Can the processing of security descriptor SACLs be skipped during AD Sync or Migration? -
Description
During the synchronization or migration of AD object from source to target, is it possible to skip the processing of security descriptor SACLs (System Access Control List), yet allow DACLS (Discretionary Access Control List) be added or merged?
-
Resolution
To skip the processing of SACLs during security descriptor processing please follow the below instructions:
1. Stop all directory synchronization agents (DSA).
2. In Regedit open this registry key on all DSA agent computers and perform the modifications listed on each agent computer:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AeDSACtrl_SERVER_NAME\Config
And / change values for these settings:
SDFlagsModify=0x7
SDFlagsSearch=0x7
** IMPORTANT: Start DSAs with the full-resync option.**