Hey everyone. Recently some of our support people have been getting the
following error in iManager when creating a user:

Error: NDS Error -672

(Error -672) The client does not have sufficient rights to complete the
requested operation. For servers, this error in DSTRACE means that the
replica list for the target server does not match the replica list for
the source server.

This was working perfectly up until a few weeks ago, when it was first
reported. After digging into it further, it seems that everyone who is
members of this particular group that the rights are assigned dont have
rights, even through the trustee assignments and effective rights show
they are correct. I can create users, but I have S to the whole tree.
I had them try creating users in Console and NWAdmin, and they all get
errors in both of them.

I checked the eDir sync status and all is well. Time is in sync. I did
a DSRepair on the server(s) with master replicas and worked out some
errors, but it still wont work.

I also tried deleting the member association rights to the OUs in
iManager and reapplying them. It still wont work.

We added in a new server at another building around the beginning of
March, but I dont see how that can really affect what is going on over
here. Thats the only thing that changed in the tree over the last month.

Any help would be greatly appreciated.