The cause of this error is due to one of the following:
* The caller does not have the "Secret Synchronization" control access right on the read-only DC above.
* The user above is a security sensitive user that cannot have secrets replicated to any read-only DC.
* The user above is not a member of the RevealOnDemand group associated with the read-only DC above.
* The user above is a member of the NeverReveal group associated with the read-only DC above.
Domain Admin account does not have the necessary privileges. Please review the attached document for Domain Admin Equivalent Account
Configuration to confirm correct access.
Otherwise, there's a quick way to check all denied permission of a specific user account using a command in PowerShell.
import-module .\PowerShellAccessControl.psd1 Get-ADUser UserAccount | Get-AccessControlEntry -ObjectAceType initials -AceType AccessDenied
Add any denied permissions to the Domain Account.