Error: 'Security Descriptor on the directory server could not be modified'. (NETIQKB8971)

  • 7708971
  • 02-Feb-2007
  • 19-Jun-2007


Directory and Resource Administrator 6.x

Error: 'Security Descriptor on the directory server could not be modified'.


User's home directory is not being created.

The following event is generated on the Administration Server when performing a UserCopy or UserClone with the Automatically create Home Directory Policy Enabled.

Event Type: Warning
Event Source: MCSAdminSvc
Event Category: (901)
Event ID: 18412
Date: 6/4/2002
Time: 9:28:16 AM
User: N/A
Computer: DRA server
A home directory, \\machine\L$\HOME\username, was created for the user, but the process could not be completed because the security descriptor on the directory could not be modified. The user was created.

This issue is due to the parent directory having a large number of ACE's set.  The ACEs are duplicates of the Administrators group over and over again.


To verify the cause of this issue, a utility such as DumpACL's can be utilized.  To correct this issue, the duplicate ACE entries must be removed.   To remove the duplicate ACE's, perform the following:

  1. Go to the parent share directory in Windows Explorer.
  2. Right-click and select Properties.
  3. Select the Security tab.
  4. Select ADD and add a bogus account to the security.
  5. Click Apply and OK.
  6. Right-click the directory again and select Properties.
  7. Click the Security tab.
  8. Remove the bogus account that you just added.
  9. Click Apply and OK.
  10. Run the dumpacl utility on the directory again and make sure that the number of ACEs has been significantly reduced.
  11. Native tools should automatically remove the ACEs that it detects as duplicates so the number of ACEs should be reduced down.


Additional Information

Formerly known as NETIQKB8971