Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 1450 Source: NTDSSDPROP

Source
Level
Description
While processing security descriptor propagation, the directory service failed to calculate a new security descriptor for object CN=All Employees,CN=Users,DC=company,DC=com (error <error code>).
Comments
 
See the link to "EventID 1450 from source Active Directory" for information about this event.
Error: 0x7a (Decimal 122) = "The data area passed to a system call is too small." - From a newsgroup post: "The usual cause for this is that the resultant security descriptor would have a DACL larger than 64kb, which is the architectural limit on ACL size (since internal offsets are shorts). Use your favorite tool to bring up the security UI on both the object (Iviewcopy) and its parent (FinancialAccounts), and be sure to go into the Advanced view.  You will likely see either an enormous number of inheritable ACEs on the parent, or an enormous number of explicit ACEs on the object, or both. You need to remove some of those ACEs. Most cases I've seen of this it's been from badly behaved  applications that keep shoving redundant ACEs into the ACL, making it pretty easy to determine which ones can bee removed."

Error: 0x3f0 (Decimal 1008) = "An attempt was made to reference a token that does not exist." - This problem occurs because the object that the event message refers to has a security descriptor with an empty owner value. The security descriptor propagator cannot correct the problem and remove the object from its queue. See ME328422.

Error: 0x53a (Decimal 1338) = "The security descriptor structure is invalid.". From a newsgroup post: "The object noted in the event was not properly permissioned when imported into your Windows 2000 AD. This created an object in the AD whose permissions list does not permit the SDPROP service to check or correct it's security descriptor. The object was subsequently deleted, and since you cannot
modify deleted objects the only solution is to wait for the deleted object to expire per the tombstone lifetime (60 days) on the AD before it is purged from the directory. In another case...
1. On the groups causing the event the system account had been removed from
the ACL
2. On the OU's we have to recreate a new ACL by unchecking "allow inheritable permissions", chosing to copy the perms. We did this on the parent OU and
all child OU's"

Error: 0x53c (Decimal 1340) = "The inherited access control list (ACL) or access control entry (ACE) could not be built" - From a newsgroup post this may be and indication of a bad ACE in the ACL. Edit the security on that object via the UI, and it will likely fix it. In one case, there where 1800 ACEs in the ACL. Sint the maximum security descriptor size is 64k that large number of ACEs would cause the failure.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...