Article ID: 2001769 - View products that this article applies to.
When you propagate the permissions on an object such as an organizational unit (OU), group, user, or computer in Active Directory, you may receive the following error:
Unable to save permission changes on ObjectName. A constraint violation occurred.
Every 30 minutes the following event may appear in the Directory Services log on the domain controller:
Event Type: Error
You may also see the following event:
Event Type: Error
This will happen when the Access Control List (ACL) size on the object exceeds 64 KB, or approximately 1,820 Access Control Entries (ACEs) depending on the size of the ACEs.
To resolve this issue, remove entries from the ACL to reduce its size. You can run the following command to dump the ACEs of the object to determine if the errors are a result of an ACL size issue:
dsacls <DN of the problematic object>
For more information on the Dsacls tool, click the following article number to view the article in the Microsoft Knowledge Base:
281146 How to Use Dsacls.exe in Windows Server 2003 and Windows 2000
You can also use the LDP tool to view the security descriptor and its size. LDP is available in the Windows 2000 Server and Windows Server 2003 Support Tools. It is also available in the Remote Server Administration Tools (RSAT) for Windows Server 2008 and Windows Server 2008 R2 when the AD DS and AD LDS tools for the Role Administration Tools are installed.
941314 Description of Windows Server 2008 Remote Server Administration Tools for Windows Vista Service Pack 1
To view the security descriptor size using the LDP tool:
If the security descriptor is indeed long, this may scroll. The Ace[# of ACE] type entries reveal the number of entries in the ACL. Add one to the last visible entry to determine the total number of ACE entries. Otherwise you can choose to view the security descriptor in full after configuring LDP with sufficient lines.
To increase the number of lines on right pane of LDP:
You will then see output as below.
The size entry shown above reveals the size of the security descriptor.
For more information about security descriptors, visit the following Microsoft Web site:
(http://go.microsoft.com/fwlink/?LinkId=151500)for other considerations.
Article ID: 2001769 - Last Review: September 25, 2009 - Revision: 6.0