Resolution
fact
Domain Migration Administrator 7.x
symptom
Error: 'Can not process ou=container,o=organization because the ACL contains more than 55 ACEs. In add mode this may violate the limit of 110 ACEs enforced by exchange'.
symptom
An internal processing error has occurred: constraint violation. The value specified for an attribute is either too big, too small, or not valid.
Microsoft Exchange Directory.
symptom
A processing error occurs when translating security for Exchange mailboxes in 'Add' mode.
cause
Microsoft Exchange 5.5 has a limit of 110 access control entries (ACE's) per mailbox. If Domain Migration Administrator (DMA) tries to 'Add' access control entries beyond this limit, the operation will fail due to this limit. DMA provides this warning message instead of letting the process fail. If the above warning is received, then the effected ACL is left intact, except that the mailbox owner is changed to the target account.
fix
note
Only the objects that have an ACL with 56 or more ACE's will not be translated, but security will be translated for mailboxes that have less than 56 ACE's during the same pass. For example, if the Configuration object has 60 access control entries, but mailboxes have less than 56 ACE's, when you run the Translate Security for Exchange Mailboxes wizard, the mailboxes will be reACL'd with no error, but security will not be changed on the container, and the migration.log will record the container name in the error message that you reported.
note
note
Domain Migration Administrator 7.x
symptom
Error: 'Can not process ou=container,o=organization because the ACL contains more than 55 ACEs. In add mode this may violate the limit of 110 ACEs enforced by exchange'.
symptom
An internal processing error has occurred: constraint violation. The value specified for an attribute is either too big, too small, or not valid.
Microsoft Exchange Directory.
symptom
A processing error occurs when translating security for Exchange mailboxes in 'Add' mode.
cause
Microsoft Exchange 5.5 has a limit of 110 access control entries (ACE's) per mailbox. If Domain Migration Administrator (DMA) tries to 'Add' access control entries beyond this limit, the operation will fail due to this limit. DMA provides this warning message instead of letting the process fail. If the above warning is received, then the effected ACL is left intact, except that the mailbox owner is changed to the target account.
fix
There are a couple of possible workarounds:
- Reduce the number of access control entries to 55 or less.
- Perform the security translation for Exchange in 'Replace' mode. This option is only recommended if users will be logging on with the target accounts only. The source accounts will no longer have access if translation is performed in Replace mode.
note
Only the objects that have an ACL with 56 or more ACE's will not be translated, but security will be translated for mailboxes that have less than 56 ACE's during the same pass. For example, if the Configuration object has 60 access control entries, but mailboxes have less than 56 ACE's, when you run the Translate Security for Exchange Mailboxes wizard, the mailboxes will be reACL'd with no error, but security will not be changed on the container, and the migration.log will record the container name in the error message that you reported.
note
This limit is addressed in Microsoft article 235652
XADM: DS_E_CONSTRAINT_VIOLATION Error When Adding Many Accounts into the Permissions Tab
http://support.microsoft.com/default.aspx?scid=kb%3ben-us%3b235652
note
DMA translates security on the following objects when you run the Translate Security for Exchange Mailboxes wizard:
- Exchange mailboxes
- Distribution lists
- Custom recipients
- Organizations
- Sites
- Public folders and containers, as well as the primary Windows NT account for each mailbox.
Additional Information
Formerly known as NETIQKB26427