-
Title
Native Security Permissions not displaying and Access Templates not propagating to Active Directory -
Description
When accessing the Native Security advanced details pane in the Active Roles Console, the expected security permissions are not visible. The screen is just blank.
Additionally, after enabling the option to "Propagate Permissions to Active Directory" within an Access Template linkage, the configured permissions are not propagating as expected.
Enabling verbose logging for the Active Roles Administration Service will result in an error message similar to the following:
Length of the access control list exceeds the allowed maximum.
-
Cause
A very large Access Template is attempting to be synchronized which exceeds native Active Directory limits.
<quote>
The maximum size of an ACL is 64 kilobytes (KB), or approximately 1,820 ACEs.
</quote>
This number is additive.
Exporting the Access Template to a file will show a number of entries in the edsaATEList attribute. This value, in addition to the existing ACE's linked already present in Active Directory, has exceeded this Active Directory limitation.
-
Resolution
WORKAROUND
Change the Access Template to include less complicated permissions - for example, a Full Control permission with explicit denies, rather than a large list of individual allows.