Resolution
Domain Migration Administrator 6.x
fact
Domain Migration Administrator 7.x
symptom
Error: 'Skipping translation of registry key HKEY_LOCAL_MACHINE\SOFTWARE...The registry key's security descriptor contains 39 ACEs, which exceeds the limit of 15 in Add mode'.
Error: 'E20117: Failed to resolve security for HKEY_CLASSES_ROOT registry key. Skipping to the other keys.'symptom
Either error appears in the DCTlog.txt file on a computer with a failed local user profile translation.
cause
DMA enumerates the RAW DACL of each registry key. If there are currently 15 or more ACEs (Trustees), DMA does not attempt to translate security in Add mode because this doubles the number of ACEs on the registry hive ACL. A registry hive ACL with more than 30 ACEs can cause the Administrator to be locked out. DMA uses a safety measure that disables translation for registry ACLs with more than 15 ACEs.
Not all ACEs are viewable from the native Permissions interface or the Advanced permissions tab of the Permissions interface. Native tools typically collapse duplicate Trustee listings in the interface even though the RAW DACL actually holds them as separate entries. DMA does not collapse the duplicate Trustee entries before it determines the current number of ACEs.
fixConsider the following workarounds to resolve this issue:
- Reduce the number of ACEs to 15 or fewer.
- Translate security in the Replace mode.
Translating security in Replace mode is recommended only if you plan for users to log on with only the new target user account. When translating security in Replace mode, source user accounts will no longer have access.
note
If you migrate user accounts using the Migrate Account SID (SID History) option, you can ignore this error because the target user account will still have access to the registry keys based on the account SID History.
Additional Information
For more information, see How DMA Updates Access Control Entries in Appendix C of the Domain Migration Administrator and Server Consolidator User Guide.