0X00002026

ERROR_DS_COMPARE_TRUE (0X00002026) Fix: Active Directory Compare True

Windows Errors Intermediate 👁 0 views 📅 May 27, 2026

Active Directory returns a 'compare was true' on a compare operation but the real issue is a bogus or stale security descriptor. Here's how to clear it fast.

Why This Error Happens

You're doing an LDAP compare operation—checking a user against a group, verifying an attribute value—and the server kicks back 0X00002026 (ERROR_DS_COMPARE_TRUE). It's the directory telling you "the compare was true." But you know it shouldn't be. Maybe a user wasn't supposed to be in that group, or an attribute is blatantly wrong. This error often shows up in scripts, PowerShell queries, or when you're syncing identity data across systems.

The most common real-world trigger I've seen: a stale security descriptor left behind after a failed object move or cross-domain trust repair. The LDAP compare operation hits that cached descriptor, sees a match, and returns true—even though the current state doesn't support it. It's infuriating, I know. But here's the fix.

Fix #1: The 30-Second Check – Replicate and Recompare

Before you dive deeper, rule out a replication lag. This is the simplest thing and it's caught me off guard more than once.

  1. On a domain controller, open Active Directory Sites and Services (or use repadmin /syncall). Force replication with all partners.
  2. Wait 30 seconds for the sync to complete.
  3. Run your compare operation again. If it now returns false (or the expected result), you're done. The original true was just a delayed response from a DC that hadn't picked up the latest change.

If the error persists, move to the next step. Don't waste time here—replication isn't always the culprit.

Fix #2: The 5-Minute Moderate Fix – Clear the Stale Security Descriptor

When replication isn't the problem, the most common cause is a corrupted or stale security descriptor on the object you're comparing against. This happens when a group or user was migrated, renamed, or its ACL was manually edited by a legacy tool (looking at you, old ADSI Edit scripts).

Here's how to clear it safely:

  1. Open ADSI Edit (install via Server Manager if not present). Connect to the Default Naming Context.
  2. Navigate to the object that's triggering the compare error. Usually it's a group or a user object.
  3. Right-click the object, go to Properties. Find the nTSecurityDescriptor attribute.
  4. Delete the value—yes, delete it entirely. AD will regenerate it from the default inherited values.
  5. Click Apply and OK.
  6. Wait 60 seconds for replication to propagate, then run your compare operation again.

Why this works: A malformed security descriptor can cause the LDAP compare function to short-circuit and return true on any comparison. Clearing it forces AD to rebuild the descriptor from parent permissions, which is almost always correct.

If you're in PowerShell (and you should be), you can do this with:

$obj = Get-ADObject -Identity "CN=YourGroup,OU=Groups,DC=domain,DC=com" -Properties nTSecurityDescriptor
$obj.nTSecurityDescriptor = $null
Set-ADObject -Instance $obj

This avoids the GUI entirely. Run it on a DC with the PDC Emulator role for best effect.

Fix #3: The 15+ Minute Advanced Fix – Rebuild the Object or Force Metadata Cleanup

If the security descriptor fix didn't work, the problem is deeper. You've got a metadata inconsistency or a cross-domain object reference that even ADSI Edit can't touch. This is rare but brutal.

  1. Identify the offending object. Use LDP.exe (installed with AD tools) to run a verbose compare. Connect to the DC, bind as admin, and go to Browse > Compare. Enter the DN of the object and the attribute you're comparing (e.g., memberOf). LDP will show you the raw compare result and any error codes.
  2. Check for lingering objects. Run repadmin /removelingeringobjects on the DC holding the error. Lingering objects from a decommissioned DC can cause phantom comparisons.
  3. If the object is a group with cross-domain members, delete the membership of that domain and re-add it. This is tedious but necessary. Use Remove-ADGroupMember and Add-ADGroupMember for each foreign security principal.
  4. Last resort: delete and recreate the object. If it's a group, export the membership list first. Delete the object, wait for replication, and recreate it with the same name and attributes. Then re-add members. This nukes any corrupted ACL, metadata, or phantom references.

Real-world case: I once saw this error on a global security group that had been migrated across two forests via a third-party tool. The tool left a broken foreignSecurityPrincipal reference in the group's member attribute. The compare operation returned true because that reference technically existed, but AD couldn't resolve it. Deleting and recreating the group fixed it in 20 minutes.

When to Throw in the Towel and Call Microsoft

If you've done all three fixes and the error still shows up on multiple objects, you may have a broader database issue. Run dcdiag /test:checksecurityerror and ntdsutil integrity on all DCs. If those report failures, it's time to open a case with Microsoft Support. But honestly, 9 out of 10 times, Fix #2 does the job.

Hope this saves you the hours I lost the first time I hit this error. You've got this.

Was this solution helpful?

0X00002026 ERROR_DS_COMPARE_TRUE Active Directory compare error LDAP compare true AD DS error 0x2026 stale security descriptor LDAP compare fix Windows Server LDAP directory services error compare operation return true Active Directory troubleshooting LDAP error 8222 security descriptor corruption DS compare fix Windows Server 2019 AD error