Error: 'Security Descriptor on the directory server could not be modified'. (NETIQKB8971)

fact
Directory and Resource Administrator 6.x

symptom
Error: 'Security Descriptor on the directory server could not be modified'.

symptom

User's home directory is not being created.

symptom
The following event is generated on the Administration Server when performing a UserCopy or UserClone with the Automatically create Home Directory Policy Enabled.

Event Type: Warning
Event Source: MCSAdminSvc
Event Category: (901)
Event ID: 18412
Date: 6/4/2002
Time: 9:28:16 AM
User: N/A
Computer: DRA server
Description:
A home directory, \\machine\L$\HOME\username, was created for the user, but the process could not be completed because the security descriptor on the directory could not be modified. The user was created.

cause
This issue is due to the parent directory having a large number of ACE's set.  The ACEs are duplicates of the Administrators group over and over again.

fix

To verify the cause of this issue, a utility such as DumpACL's can be utilized.  To correct this issue, the duplicate ACE entries must be removed.   To remove the duplicate ACE's, perform the following:

1. Go to the parent share directory in Windows Explorer.
   
2. Right-click and select Properties.
   
3. Select the Security tab.
   
4. Select ADD and add a bogus account to the security.
   
5. Click Apply and OK.
   
6. Right-click the directory again and select Properties.
   
7. Click the Security tab.
   
8. Remove the bogus account that you just added.
   
9. Click Apply and OK.
   
10. Run the dumpacl utility on the directory again and make sure that the number of ACEs has been significantly reduced.
    
11. Native tools should automatically remove the ACEs that it detects as duplicates so the number of ACEs should be reduced down.

 

Formerly known as NETIQKB8971