Getting Constraint Error When Trying to Update AD Object Permissions

For SOME users, a few are getting errors when running the below portion of my script. This does not happen for all objects, but some. These users having issues have full control over the OU that the user account resides in that this script is updating. The script adds a computer object from another domain and gives it full control over the user object. Randomly users receive the error "

Exception calling “CommitChanges” with “0” argument(s): “A constraint violation occurred.” It is not a permissions issue because they have full control over the user objects that they are trying to update. Any ideas?

$SysManObj = [ADSI]("LDAP://$GoldlnkDC/CN=$UPN,$OUPath") #get the user object
$comp = get-adcomputer $Computer -Server $AqualnkDC #get the computer object
$sid = [System.Security.Principal.SecurityIdentifier]$comp.SID
$identity = [System.Security.Principal.IdentityReference]$SID
$adRights = [System.DirectoryServices.ActiveDirectoryRights] "GenericAll"
$RightsType = [System.Security.AccessControl.AccessControlType] "Allow"
$inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
$ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $identity, $adRights, $RightsType, $inheritanceType

$SysManObj.psbase.ObjectSecurity.AddAccessRule($ACE)
$SysManObj.psbase.commitchanges()

 

Update - it appears it MIGHT be permissions. However, I have no idea what I need to update to give them permissions. They have full control over the user object that we are updating. What other permissions are needed? Keep in mind this only happens on some PCs. I have verified that I am receiving the same error when I use my other admin account that is not a domain admin, but no error when I use my domain admin account.

It almost seems like if they create the user object themselves, they can update the permissions, but if someone else does ( a domain admin ), they receive the error, even though they have full control over the user. Any ideas?

This portion of script checks ACLs. The owner of the user object we are having issues with is “domain admins.” The ones that we are not having issues with are not domain admins. I’m assuming we cannot change the owner of an object unless a domain admin does it, so that is out of the questions. Is there an easier way to grant a computer object full control over a user object? These users can go into AD and change the permissions in the security tab, but cannot via this script.

Any suggestions? I don’t understand how these admins are able to add a computer object with full control to a user object, but they can’t do it via the command I put above. Seems like it requires the admin to be the owner of the user object. If anyone has any suggestions or other ways to accomplish this, I’m all ears. Thanks!