Directory and Resource Administrator 7.5
Error: "Security Descriptor on the directory server could not be modified."
Error: "Could not modify security descriptor" when attempting to create or clone a user account.
When creating or cloning a user account, the home directory is created, however, the permissions on the directory have inherited permissions, and the newly-created user ACE does not get set.
An issue with the DACL and out-of-order ACEs causes Windows to create an excessive number of duplicate ACEs and exceed the size limitation for DRA.
To resolve this problem:
- Locate the directory in Windows Explorer.
- Right click the directory and select Properties.
- On the Security tab, add a new dummy trustee and click Apply.
- Remove the dummy trustee and click Apply.
During the process of applying the new security, native tools should automatically remove any ACEs detected as duplicates.
You can use a tool DumpSec to diagnose this problem. Download DumpSec from the following url: http://www.systemtools.com/somarsoft/