Error in logs: "Failed to write statistics Session ID xxxxxxxx" (4249405)

An account with delegated permissions is configured as the Admin User in the Defender Security Server (DSS) however users are unable to authenticate.

The DSS Audit logs in C:\Program Files\One Identity\Defender\Security Server\Logs show the error, "Failed to write statistics Session ID xxxxxxxx" when this occurs.

Missing 'write' permissions on one of the delegated permissions to the user objects, or the user is a member of one of the predefined protected groups.

For Domain Users that are NOT protected users:
Please review the permissions delegated to the account as advised in Knowledge Article 43578, How to delegate Administrative rights in Defender.

For Protected users such as Domain Admins:
This issue can also arise if the user is a member of a protected group:

When permissions are delegated using the Defender Delegated Administration Wizard, these permissions rely on the user object that inherits the permissions from the parent container.  Members of protected groups do not inherit permissions from the parent container.  Therefore, if you set permissions using the Defender Delegated Administration Wizard, these permissions are not applied to members of protected groups, e.g Domain Admins.

WORKAROUND:
Workaround 1:
Enable inheritance on the AdminSDHolder object so that the Protected users can inherit the permissions from the container OU level then the Defender Delegation wizard can be used to delegate the required permissions on for example the Users OU and so the protected users would inherit the permissions as a descendent user objects.
 
Workaround 2 :
To allow the Defender Service account to manage a protected user object attributes is to grant "Read" and "Write" permissions on the AdminSDholder for the Defender Service Account.
 
Workaround 3: 
Add the Defender service account as a member of Domain Admins

STATUS:
Change Request # 385081 was submitted to allow delegating the required permission for defender attributes to the Defender Service account on the AdminSDholder using "this object only" which currently doesn't show Defender permissions listed.