Fix ERROR_DS_SEC_DESC_TOO_SHORT (0x000020A1) in Active Directory

You're staring at ERROR_DS_SEC_DESC_TOO_SHORT (0x000020A1) and it's a pain. Let me walk you through the fix. This usually hits when you're trying to create a new user or group in Active Directory, or when a domain controller replicates a corrupted object. The security descriptor—the part of the object that says who can do what—is shorter than it should be. That's a corruption issue.

The Real Fix: Delete the Corrupt Object

Nine times out of ten, the fastest fix is to delete the object throwing the error and recreate it. Here's how:

Open Active Directory Users and Computers (dsa.msc) on a domain controller.
Find the object that fails. It's usually a user, group, or computer account you just created or modified.
Right-click it, choose Delete. You'll get a warning about not being able to undo it. Click Yes.
After deletion, go to View menu, check Advanced Features. This shows the LostAndFound container.
Expand the domain, open LostAndFound. If the object is there (corrupt objects sometimes get moved here), delete it again.
Now recreate the object fresh. Right-click the target OU, choose New > User or Group. Fill in the details.

After clicking Apply, you should see the object appear without the error. Verify by right-clicking it, selecting Properties, and checking the Security tab loads properly. If it does, you're done.

If You Can't Delete It: Use Repadmin

Sometimes the object is protected or replicated across multiple DCs. In that case:

Open Command Prompt as Administrator on the DC holding the PDC emulator role.
Run:
```
repadmin /syncall /AdeP
```

Wait for replication to complete. Then run:

repadmin /rehost <object-DN> <destination-DC>

This forces the DC to fetch a clean copy from a good DC. If that doesn't work, you might need to use ntdsutil to authoritatively restore the object from backup. But that's more advanced—try the delete-and-recreate first.

Why This Happens

The security descriptor is stored as a binary blob in the nTSecurityDescriptor attribute. When it gets corrupted—say from a failed replication, a buggy script, or disk write errors—the length field doesn't match the actual data. Active Directory sees it as too short and throws 0x000020A1. It's not a permissions problem, it's a data integrity problem. Deleting the object removes the corrupt blob, and recreating it writes a fresh, valid one.

Less Common Variations

Sometimes the error shows up during a dsacls command or when you're trying to modify permissions via PowerShell. Here's what to do:

In PowerShell: If Get-ADUser -Identity "username" -Properties nTSecurityDescriptor fails, try:
```
Get-ADObject -Identity "CN=username,OU=Users,DC=domain,DC=com" -Properties nTSecurityDescriptor | fl
```
If it still fails, the object is toast. Delete and recreate.
During Group Policy editing: If GPMC shows 0x000020A1 on a GPO, the GPO's security descriptor is corrupt. Delete the GPO (after backing up) and recreate it.
On a read-only DC (RODC): The error might mean the RODC has a stale copy. Use repadmin /remove to remove the RODC's reference and re-add it.

Prevention Going Forward

This error comes back if you don't fix the root cause. Here's how to stop it:

Run dcdiag /test:replications /test:services weekly. This catches replication issues early.
Don't use scripts that directly write to nTSecurityDescriptor unless you really know what you're doing. That's a sure way to corrupt it.
Keep your domain controllers on the same patch level. Mixing Server 2012 R2 with Server 2022 can cause descriptor format mismatches.
If you see a lot of these errors, check your disk health. Corrupt sectors on the DC's hard drive can trash AD database files. Run chkdsk C: /f on the DC during off-hours.

That's it. Delete the object, recreate it, and you're back in business. If it keeps happening, check replication health first. You'll save yourself hours of head-scratching.