"Unable to save permission changes" when you propagate permissions


Symptoms


When you propagate the permissions on an object such as an organizational unit (OU), group, user, or computer in Active Directory, you may receive the following error message:

Every 30 minutes, the following event may appear in the Directory Services log on the domain controller:


You may also see the following event in the log:

Cause


This issue occurs because size of the Access Control List (ACL) on the object exceeds 64 KB or approximately 1,820 Access Control Entries (ACEs), depending on the size of the ACEs.

Resolution


To resolve this issue, remove entries from the ACL to reduce its size. You can run the following command to dump the ACEs of the object to determine if the errors are a result of an ACL size issue:

dsacls DistinguishedNameOfTheProblematicObject

For more information about the Dsacls tool, see the following Microsoft Knowledge Base article:

281146 How to Use Dsacls.exe in Windows Server 2003 and Windows 2000

You can also use the LDP tool to view the security descriptor and its size. LDP is available in the Windows 2000 Server and Windows Server 2003 Support Tools. It is also available in the Remote Server Administration Tools (RSAT) for Windows Server 2008 and Windows Server 2008 R2 when the AD DS and AD LDS tools for the Role Administration Tools are installed. For more information, see the following article:

941314 Description of Windows Server 2008 Remote Server Administration Tools for Windows Vista Service Pack 1

To view the security descriptor size by using the LDP tool:

  1. Launch LDP.exe.
  2. Choose Connect from the Connection menu, and then type the name of a domain controller where the distinguished name (DN) of object exists.
  3. Choose Bind from the Connect menu to log on by using administrative credentials. If the currently logged-on user has administrative rights, you can leave the credentials blank.
  4. Choose Security from the Browse menu, and then select Security.
  5. Type the distinguished name (DN) of object, choose text dump, and then click OK. The security descriptor will now appear in the right pane.

If the security descriptor is long, it may scroll. The Ace[# of ACE] type entries reveal the number of entries in the ACL. Add 1 to the last visible entry to determine the total number of ACE entries. Otherwise, you can choose to view the security descriptor in full after you use LDP to configure a sufficient number of lines.

To increase the number of lines in the right pane of LDP:

  1. Choose General from the Options menu.
  2. Type a number of lines, such as 2048 or a value as required by the number of lines in the buffer size section.
  3. Repeat steps 4-5 in the previous procedure to view the security descriptor.

You will then see output like this :

The size entry shown here reveals the size of the security descriptor.

More Information


For more information about security descriptors, visit the following Microsoft website:

How Security Descriptors and Access Control Lists Work