AD Security Descriptors do not come over when Using limited Permissions. (4270895)

AD Security Descriptors (SDs) Migration Rule is set to Merge or Replace.
Service Accounts do not have administrator rights, and are using Lest privilege rules as per user guide.

1. If SDFlagsModify and SDFlagsSearch are set in the registry ,then SD will come without system access control list (SACL). Therefore QMM will not syncronize SACL

2. If source service account has SE_SECURITY_NAME (Manage auditing and security log) privilege, then SD will be fully read from source..

3. If source service account doesn't have SE_SECURITY_NAME set, then target SD (in the merge mode) will not be returned by target DC, and will get an error "Insufficient Rights trying to apply target ntSecurutyDescriptor".

4. If Target service account has SE_SECURITY_NAME, (in the Merge mode) then SD will be returned properly but we get following error "Constraint violation trying to apply ntSecurutyDescriptor"

By default Migration Manager migrates objects' security descriptors. It includes object ownership, discretionary access control list (DACL) and system access control list (SACL). Because modification of SACLs require administrative rights in target domain they must not be migrated and synchronized.

There are two options to prevent SACL migration:

· Don’t migrate security descriptors
· Skip SACLs

To skip SACLs :

1. Start regedit.exe on computer where Directory Synchronization Agent is installed
2. Navigate key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AeDSACtrl_<Computer_Name>\Config
3. Set value SDFlagsModify to 0x7
4. Set value SDFlagsSearch to 0x7

**Registry Disclaimer: Quest software does not provide support for problems that arise from improper modification of the registry.  The Windows registry contains information critical to your computer and applications.  Make sure you back up the registry before modifying it.  For more information on the Windows Registry Editor and how to back up and restore it, refer to Microsoft Article ID 256986 Description of the Microsoft Windows registry: http://support.microsoft.com/default.aspx?kbid=256986.**

Alternatively, make the QMM Service Account a member of the builtin\administrators group which would allow the SACL to be set.