diff --git a/Build/Release/x64/repacls.exe b/Build/Release/x64/repacls.exe
index d9c7952..729e2ae 100644
Binary files a/Build/Release/x64/repacls.exe and b/Build/Release/x64/repacls.exe differ
diff --git a/Build/Release/x86/repacls.exe b/Build/Release/x86/repacls.exe
index f94056d..b22c33e 100644
Binary files a/Build/Release/x86/repacls.exe and b/Build/Release/x86/repacls.exe differ
diff --git a/Build/Repacls.zip b/Build/Repacls.zip
index 129d107..1ffd2c8 100644
Binary files a/Build/Repacls.zip and b/Build/Repacls.zip differ
diff --git a/OperationCopyDomain.cpp b/OperationCopyDomain.cpp
index e632d0b..5bc8929 100644
--- a/OperationCopyDomain.cpp
+++ b/OperationCopyDomain.cpp
@@ -161,21 +161,33 @@ bool OperationCopyDomain::ProcessAclAction(WCHAR * const sSdPart, ObjectEntry &
 
 			// special case since SetEntriesInAcl does not handle setting both success
 			// and failure types together
-			PACL tNewDacl;
+			PACL tNewDacl = NULL;
+			DWORD iError = 0;
 			if (CheckBitSet(tEa.grfAccessMode, SET_AUDIT_SUCCESS) &&
 				CheckBitSet(tEa.grfAccessMode, SET_AUDIT_FAILURE))
 			{
-				PACL tNewDaclTmp;
+				PACL tNewDaclTmp = NULL;
 				tEa.grfAccessMode = SET_AUDIT_SUCCESS;
-				SetEntriesInAcl(1, &tEa, tCurrentAcl, &tNewDaclTmp);
+				iError = SetEntriesInAcl(1, &tEa, tCurrentAcl, &tNewDaclTmp);
 				tEa.grfAccessMode = SET_AUDIT_FAILURE;
-				SetEntriesInAcl(1, &tEa, tNewDaclTmp, &tNewDacl);
-				LocalFree(tNewDaclTmp);
+				if (iError == ERROR_SUCCESS) {
+					SetEntriesInAcl(1, &tEa, tNewDaclTmp, &tNewDacl);
+					LocalFree(tNewDaclTmp);
+				}
 			}
 			else
 			{
 				// merge the new trustee into the dacl
-				SetEntriesInAcl(1, &tEa, tCurrentAcl, &tNewDacl);
+				iError = SetEntriesInAcl(1, &tEa, tCurrentAcl, &tNewDacl);
+			}
+
+			// verify the new acl could be generated
+			if (iError != ERROR_SUCCESS || tNewDacl == NULL)
+			{
+				std::wstring sTargetAccountName = GetNameFromSid(tTargetAccountSid);
+				InputOutput::AddError(L"Could not add '" + sTargetAccountName + L"' for domain '" 
+					+ sTargetDomain + L"' to access control list (" + std::to_wstring(iError) + L").", sSdPart);
+				continue;
 			}
 
 			// see if the old and new acl match
diff --git a/Version.h b/Version.h
index 7c4c5c7..2185ed7 100644
--- a/Version.h
+++ b/Version.h
@@ -1,4 +1,4 @@
 #pragma once
 
-#define VERSION_STRING "1.10.0.2"
-#define VERSION_COMMA 1,10,0,2
+#define VERSION_STRING "1.10.0.3"
+#define VERSION_COMMA 1,10,0,3