Error: Security Descriptor on the directory server could not be modified. (NETIQKB54020)

  • 7754020
  • 02-Feb-2007
  • 19-Jun-2007


Directory and Resource Administrator 7.5

Error: "Security Descriptor on the directory server could not be modified."

Error: "Could not modify security descriptor" when attempting to create or clone a user account.

When creating or cloning a user account, the home directory is created, however, the permissions on the directory have inherited permissions, and the newly-created user ACE does not get set. 


An issue with the DACL and out-of-order ACEs causes Windows to create an excessive number of duplicate ACEs and exceed the size limitation for DRA.


To resolve this problem:

  1. Locate the directory in Windows Explorer.
  2. Right click the directory and select Properties.
  3. On the Security tab, add a new dummy trustee and click Apply.
  4. Remove the dummy trustee and click Apply.

During the process of applying the new security, native tools should automatically remove any ACEs detected as duplicates.

You can use a tool DumpSec to diagnose this problem. Download DumpSec from the following url:

Additional Information

Formerly known as NETIQKB54020