Error While Propagating Permissions: "Unable to save permission changes on <object>. A constraint violation occurred."

Article ID: 2001769 - View products that this article applies to.
Expand all | Collapse all

Symptoms

When you propagate the permissions on an object such as an organizational unit (OU), group, user, or computer in Active Directory, you may receive the following error:

Unable to save permission changes on ObjectName. A constraint violation occurred.

Every 30 minutes the following event may appear in the Directory Services log on the domain controller:

Event Type:  Error
Event Source:  NTDS SDPROP
Event Category:  Internal Processing
Event ID:  1450
User:  NT AUTHORITY\ANONYMOUS LOGON
Computer:  <computer name>
Description:
The security descriptor propagation task could not calculate a new security descriptor for the following object.
 
Object:
<distinguished name (DN) of object>
 
This operation will be tried again later.
 
User Action
If this condition continues, attempt to view the status of this object and manually change the security descriptor.
 
Additional Data
Error value:
1340 The inherited access control list (ACL) or access control entry (ACE) could not be built.

You may also see the following event:

Event Type:  Error
Event Source:  NTDS SDPROP
Event Category:  Internal Processing
Event ID:  1450
User:  NT AUTHORITY\ANONYMOUS LOGON
Computer:  <computer name>
Description:
The security descriptor propagation task could not calculate a new security descriptor for the following object.
 
Object:
<distinguished name (DN) of object>
 
This operation will be tried again later.
 
User Action
If this condition continues, attempt to view the status of this object and manually change the security descriptor.
 
Additional Data
Error value:
53c %3

Cause

This will happen when the Access Control List (ACL) size on the object exceeds 64 KB, or approximately 1,820 Access Control Entries (ACEs) depending on the size of the ACEs.

Resolution

To resolve this issue, remove entries from the ACL to reduce its size. You can run the following command to dump the ACEs of the object to determine if the errors are a result of an ACL size issue:

dsacls <DN of the problematic object>

For more information on the Dsacls tool, click the following article number to view the article in the Microsoft Knowledge Base:

281146 How to Use Dsacls.exe in Windows Server 2003 and Windows 2000

You can also use the LDP tool to view the security descriptor and its size. LDP is available in the Windows 2000 Server and Windows Server 2003 Support Tools. It is also available in the Remote Server Administration Tools (RSAT) for Windows Server 2008 and Windows Server 2008 R2 when the AD DS and AD LDS tools for the Role Administration Tools are installed.

941314 Description of Windows Server 2008 Remote Server Administration Tools for Windows Vista Service Pack 1

To view the security descriptor size using the LDP tool:

  1. Launch LDP.exe.
  2. Choose Connect from Connection menu and type the name of a domain controller where the <distinguished name (DN) of object> exists.
  3. Choose Bind from Connect menu to logon using administrative credentials. If the currently logged on user has administrative rights then they may be left blank.
  4. Choose Security from Browse menu and then choose Security.
  5. Type the <distinguished name (DN) of object> and choose text dump and click OK. The security descriptor will now be visible on right pane.

If the security descriptor is indeed long, this may scroll. The  Ace[# of ACE] type entries reveal the number of entries in the ACL. Add one to the last visible entry to determine the total number of ACE entries. Otherwise you can choose to view the security descriptor in full after configuring LDP with sufficient lines.

To increase the number of lines on right pane of LDP:

  1. Choose General from Options menu.
  2. Type number of lines such as 2048 or as required in number of lines in buffer size section.
  3. Repeat above to steps 4-5 to view the security descriptor.

You will then see output as below.

 Security Descriptor:
Security Descriptor:SD Revision: 1
SD Control:  0x8c04
  SE_DACL_PRESENT
  SE_DACL_AUTO_INHERITED
  SE_SACL_AUTO_INHERITED
  SE_SELF_RELATIVE
Owner: Contoso\AdminGuy [S-1-5-21-2127521184-1604012920-1887927527-25455]
Group: Contoso\Domain Users [S-1-5-21-2127521184-1604012920-1887927527-513]
DACL:
 Revision      4
 Size:         12236 bytes
 # Aces:       210
 Ace[0]
  Ace Type:  0x5 - ACCESS_ALLOWED_OBJECT_ACE_TYPE
  Ace Size:  56 bytes

The size entry shown above reveals the size of the security descriptor.

More Information

For more information about security descriptors, visit the following Microsoft Web site:

http://technet.microsoft.com/en-us/library/cc781716(WS.10).aspx

Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.

Properties

Article ID: 2001769 - Last Review: September 25, 2009 - Revision: 6.0
APPLIES TO
  • Microsoft Windows Server 2003 R2 Datacenter Edition (32-Bit x86)
  • Microsoft Windows Server 2003 R2 Datacenter x64 Edition
  • Microsoft Windows Server 2003 R2 Enterprise Edition (32-Bit x86)
  • Microsoft Windows Server 2003 R2 Enterprise Edition KN
  • Microsoft Windows Server 2003 R2 Enterprise x64 Edition
  • Microsoft Windows Server 2003 R2 Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003 R2 Standard Edition KN
  • Microsoft Windows Server 2003 R2 Standard x64 Edition
Keywords: 
KB2001769

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com