QAS fails to perform incremental updates of its local cache of user and group information, which lead to an inconsistent state and/or performance degradation. System log files show the following message:
"Insufficient permissions to read uSNChanged attribute for <user name>. Cached updates for this user may not occur."
AD Permission issue: insufficient permissions to read the uSNChanged attribute.
In order for QAS to perform incremental updates, the Active Directory security policy must allow host principals to read the uSNChanged attribute on user, group and NIS map objects.
The following is one example of how you could enable read access on the uSNChanged attribute for host principals. There are many ways to perform this operation that may be more appropriate to your Active Directory deployment.
1. Open the ADSI Edit MMC snap-in. ADSI Edit is installed as part of the Windows Support Tools package.
2. Right-click the ADSI Edit root node in the left panel and select Connect to.
3. In the Connection Settings dialog select the Domain well known naming context from the drop down in the Connection Point group box. Click OK.
4. Navigate to the OU where your Unix-enabled users and groups are stored. Right-click the OU and select Properties. Select the Security tab.
5. Click the Advanced button. The Advanced Security Settings dialog is displayed.
6. Create a new permissions entry by clicking the Add button and specifying Authenticated Users as the object name to select. Then click OK. The permission entry dialog is displayed.
7. From the Apply onto drop down box, select This object and all child objects.
8. Click on the Properties tab.
9. Click the Allow check box for the Read uSNChanged permission.
10. Repeat this procedure for any other OUs where Unix users, Unix groups or NIS map objects are stored.