Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net. The EventId.Net for Splunk Add-on assumes that Splunk is collecting information from Windows servers and workstation via the Splunk Universal Forwarder.
|Source: NTDS SDPROP|
While processing security descriptor propagation, the directory service failed to calculate a new security descriptor for object CN=All Employees,CN=Users,DC=company,DC=com (error <error code>).
|English: Request a translation of the event description in plain English.|
|Concepts to understand:|
What is NTDS and what are the roles of its components?
What is a security descriptor?
What is a directory service?
See the link to "EventID 1450 from source Active Directory" for information about this event.
Error: 0x7a (Decimal 122) = "The data area passed to a system call is too small." - From a newsgroup post: "The usual cause for this is that the resultant security descriptor would have a DACL larger than 64kb, which is the architectural limit on ACL size (since internal offsets are shorts). Use your favorite tool to bring up the security UI on both the object (Iviewcopy) and its parent (FinancialAccounts), and be sure to go into the Advanced view. You will likely see either an enormous number of inheritable ACEs on the parent, or an enormous number of explicit ACEs on the object, or both. You need to remove some of those ACEs. Most cases I've seen of this it's been from badly behaved applications that keep shoving redundant ACEs into the ACL, making it pretty easy to determine which ones can bee removed."
Error: 0x3f0 (Decimal 1008) = "An attempt was made to reference a token that does not exist." - This problem occurs because the object that the event message refers to has a security descriptor with an empty owner value. The security descriptor propagator cannot correct the problem and remove the object from its queue. See ME328422.
Error: 0x53a (Decimal 1338) = "The security descriptor structure is invalid.". From a newsgroup post: "The object noted in the event was not properly permissioned when imported into your Windows 2000 AD. This created an object in the AD whose permissions list does not permit the SDPROP service to check or correct it's security descriptor. The object was subsequently deleted, and since you cannot
modify deleted objects the only solution is to wait for the deleted object to expire per the tombstone lifetime (60 days) on the AD before it is purged from the directory. In another case...
1. On the groups causing the event the system account had been removed from
2. On the OU's we have to recreate a new ACL by unchecking "allow inheritable permissions", chosing to copy the perms. We did this on the parent OU and
all child OU's"
Error: 0x53c (Decimal 1340) = "The inherited access control list (ACL) or access control entry (ACE) could not be built" - From a newsgroup post this may be and indication of a bad ACE in the ACL. Edit the security on that object via the UI, and it will likely fix it. In one case, there where 1800 ACEs in the ACL. Sint the maximum security descriptor size is 64k that large number of ACEs would cause the failure.
|Private comment: Subscribers only. See example of private comment|
|Links: Error code 1338, ME328422, EventID 1450 from source Active Directory|
|Search: Google - Bing - Microsoft - Yahoo - EventID.Net Queue (0) - More links...|
Send comments or solutions
- Notify me when updated