Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Error While Propagating Permissions: "Unable to save permission changes on <object>. A constraint violation occurred."


View products that this article applies to.

Symptoms

When you propagate the permissions on an object such as an organizational unit (OU), group, user, or computer in Active Directory, you may receive the following error:

Unable to save permission changes on ObjectName. A constraint violation occurred.

Every 30 minutes the following event may appear in the Directory Services log on the domain controller:

Event Type:  Error
Event Source:  NTDS SDPROP
Event Category:  Internal Processing
Event ID:  1450
User:  NT AUTHORITY\ANONYMOUS LOGON
Computer:  <computer name>
Description:
The security descriptor propagation task could not calculate a new security descriptor for the following object.
 
Object:
<distinguished name (DN) of object>
 
This operation will be tried again later.
 
User Action
If this condition continues, attempt to view the status of this object and manually change the security descriptor.
 
Additional Data
Error value:
1340 The inherited access control list (ACL) or access control entry (ACE) could not be built.

You may also see the following event:

Event Type:  Error
Event Source:  NTDS SDPROP
Event Category:  Internal Processing
Event ID:  1450
User:  NT AUTHORITY\ANONYMOUS LOGON
Computer:  <computer name>
Description:
The security descriptor propagation task could not calculate a new security descriptor for the following object.
 
Object:
<distinguished name (DN) of object>
 
This operation will be tried again later.
 
User Action
If this condition continues, attempt to view the status of this object and manually change the security descriptor.
 
Additional Data
Error value:
53c %3

↑ Back to the top


Cause

This will happen when the Access Control List (ACL) size on the object exceeds 64 KB, or approximately 1,820 Access Control Entries (ACEs) depending on the size of the ACEs.

↑ Back to the top


Resolution

To resolve this issue, remove entries from the ACL to reduce its size. You can run the following command to dump the ACEs of the object to determine if the errors are a result of an ACL size issue:

dsacls <DN of the problematic object>

For more information on the Dsacls tool, click the following article number to view the article in the Microsoft Knowledge Base:

281146 How to Use Dsacls.exe in Windows Server 2003 and Windows 2000

You can also use the LDP tool to view the security descriptor and its size. LDP is available in the Windows 2000 Server and Windows Server 2003 Support Tools. It is also available in the Remote Server Administration Tools (RSAT) for Windows Server 2008 and Windows Server 2008 R2 when the AD DS and AD LDS tools for the Role Administration Tools are installed.

941314 Description of Windows Server 2008 Remote Server Administration Tools for Windows Vista Service Pack 1

To view the security descriptor size using the LDP tool:

  1. Launch LDP.exe.
  2. Choose Connect from Connection menu and type the name of a domain controller where the <distinguished name (DN) of object> exists.
  3. Choose Bind from Connect menu to logon using administrative credentials. If the currently logged on user has administrative rights then they may be left blank.
  4. Choose Security from Browse menu and then choose Security.
  5. Type the <distinguished name (DN) of object> and choose text dump and click OK. The security descriptor will now be visible on right pane.

If the security descriptor is indeed long, this may scroll. The  Ace[# of ACE] type entries reveal the number of entries in the ACL. Add one to the last visible entry to determine the total number of ACE entries. Otherwise you can choose to view the security descriptor in full after configuring LDP with sufficient lines.

To increase the number of lines on right pane of LDP:

  1. Choose General from Options menu.
  2. Type number of lines such as 2048 or as required in number of lines in buffer size section.
  3. Repeat above to steps 4-5 to view the security descriptor.

You will then see output as below.

 Security Descriptor:
Security Descriptor:SD Revision: 1
SD Control:  0x8c04
  SE_DACL_PRESENT
  SE_DACL_AUTO_INHERITED
  SE_SACL_AUTO_INHERITED
  SE_SELF_RELATIVE
Owner: Contoso\AdminGuy [S-1-5-21-2127521184-1604012920-1887927527-25455]
Group: Contoso\Domain Users [S-1-5-21-2127521184-1604012920-1887927527-513]
DACL:
 Revision      4
 Size:         12236 bytes
 # Aces:       210
 Ace[0]
  Ace Type:  0x5 - ACCESS_ALLOWED_OBJECT_ACE_TYPE
  Ace Size:  56 bytes

The size entry shown above reveals the size of the security descriptor.

↑ Back to the top


More information

For more information about security descriptors, visit the following Microsoft Web site:

http://technet.microsoft.com/en-us/library/cc781716(WS.10).aspx

↑ Back to the top


Keywords: KB2001769

↑ Back to the top

Article Info
Article ID : 2001769
Revision : 6
Created on : 9/25/2009
Published on : 9/25/2009
Exists online : False
Views : 2144