ldifde not permitted for security reasons

[zram]

Hi.
I've exported this test OU but cannot import it. I'm
using the following to import

ldifde -i -f export11ou.ldf

I get the following error:
Unwilling to perform
The modification was not permitted for security reasons

Can anyone say what is wrong? Below is the file i'm
trying to import. Thanks.

dn: OU=zachou,DC=corp,DC=wintel,DC=mgt
changetype: add
objectClass: top
objectClass: organizationalUnit
ou: zachou
distinguishedName: OU=zachou,DC=corp,DC=wintel,DC=mgt
instanceType: 4
whenCreated: 20040414183058.0Z
whenChanged: 20040414183058.0Z
uSNCreated: 206418
uSNChanged: 206418
name: zachou
objectGUID:: Lpy/xHl6REiSjcUY1BSyPg==
objectCategory:
CN=Organizational-
Unit,CN=Schema,CN=Configuration,DC=wintel,DC=mgt

dn: CN=zachgroup,OU=zachou,DC=corp,DC=wintel,DC=mgt
changetype: add
objectClass: top
objectClass: group
cn: zachgroup
distinguishedName:
CN=zachgroup,OU=zachou,DC=corp,DC=wintel,DC=mgt
instanceType: 4
whenCreated: 20040414183058.0Z
whenChanged: 20040414183058.0Z
uSNCreated: 206420
uSNChanged: 206420
name: zachgroup
objectGUID:: PcGbGmV3C0yRrKacrWD+2g==
objectSid:: AQUAAAAAAAUVAAAA2VqCQ4cjaIssFOW5pgQAAA==
sAMAccountName: zachgroup
sAMAccountType: 268435456
groupType: -2147483646
objectCategory:
CN=Group,CN=Schema,CN=Configuration,DC=wintel,DC=mgt

dn: CN=zach2,OU=zachou,DC=corp,DC=wintel,DC=mgt
changetype: add
objectClass: top
objectClass: group
cn: zach2
distinguishedName:
CN=zach2,OU=zachou,DC=corp,DC=wintel,DC=mgt
instanceType: 4
whenCreated: 20040414183058.0Z
whenChanged: 20040414183058.0Z
uSNCreated: 206424
uSNChanged: 206424
name: zach2
objectGUID:: Uj0Eom7ZeUaH3NV6XCRVgg==
objectSid:: AQUAAAAAAAUVAAAA2VqCQ4cjaIssFOW5pwQAAA==
sAMAccountName: zach2
sAMAccountType: 268435456
groupType: -2147483646
objectCategory:
CN=Group,CN=Schema,CN=Configuration,DC=wintel,DC=mgt

dn: CN=a s,OU=zachou,DC=corp,DC=wintel,DC=mgt
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: a s
sn: s
givenName: a
distinguishedName: CN=a
s,OU=zachou,DC=corp,DC=wintel,DC=mgt
instanceType: 4
whenCreated: 20040414201427.0Z
whenChanged: 20040414201427.0Z
displayName: a s
uSNCreated: 206887
uSNChanged: 206892
name: a s
objectGUID:: yPxyJ5IJW02E0O/0medhvQ==
userAccountControl: 512
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 127264472673169336
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAA2VqCQ4cjaIssFOW5qwQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: usera
sAMAccountType: 805306368
userPrincipalName: us...@corp.wintel.mgt
objectCategory:
CN=Person,CN=Schema,CN=Configuration,DC=wintel,DC=mgt

[Bernard Chouinard]

changetype: modify

"zram" <zra...@aol.com> wrote in message
news:11d901c42648$e77546a0$a601...@phx.gbl...

[Dmitri Gavrilov [MSFT]]

You need to remove a bunch of attributes that can not be written because
they are owned by the system. Straight export with all attributes will never
work for import.

You have to get rid of:
objectGUID, whenCreated, whenChanged, usnCreated, usnChanged, objectSid,
pwd-related attributes.

You may get rid of:
objectClass: top (only the most specific objectClass is needed),
distinguishedName, cn, ou, name (these will be auto-computed from the DN)
instanceType (defaults to 4)
objectCategory (will default to OU from the schema)

So, you only need this:
dn: OU=zachou,DC=corp,DC=wintel,DC=mgt
changetype: add
objectClass: organizationalUnit

dn: CN=zachgroup,OU=zachou,DC=corp,DC=wintel,DC=mgt
changetype: add
objectClass: group

sAMAccountName: zachgroup
sAMAccountType: 268435456
groupType: -2147483646

dn: CN=zach2,OU=zachou,DC=corp,DC=wintel,DC=mgt
changetype: add
objectClass: group

sAMAccountName: zach2
sAMAccountType: 268435456
groupType: -2147483646

dn: CN=a s,OU=zachou,DC=corp,DC=wintel,DC=mgt
changetype: add

objectClass: user
cn: a s
sn: s
givenName: a

displayName: a s
userAccountControl: 512
codePage: 0
countryCode: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513

accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: usera
sAMAccountType: 805306368
userPrincipalName: us...@corp.wintel.mgt

--
Dmitri Gavrilov
SDE, Active Directory Core

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

"zram" <zra...@aol.com> wrote in message
news:11d901c42648$e77546a0$a601...@phx.gbl...

[zram]

After exporting the OU I deleted it, so I am using
cn=add. I hope that is correct. I am now getting the
error "access to the attribute because the attribute is
owned by the SAM"

The OU is created fine, but has no objects in it. Here is
a copy of the file as I now have it. Thanks for your help.

dn: OU=zachou,DC=corp,DC=wintel,DC=mgt
changetype: add
objectClass: organizationalUnit
ou: zachou
name: zachou

dn: CN=zachgroup,OU=zachou,DC=corp,DC=wintel,DC=mgt
changetype: add
objectClass: group

sAMAccountName: zachgroup
sAMAccountType: 268435456
groupType: -2147483646

dn: CN=zach2,OU=zachou,DC=corp,DC=wintel,DC=mgt
changetype: add
objectClass: group

sAMAccountName: zach2
sAMAccountType: 268435456
groupType: -2147483646

dn: CN=a s,OU=zachou,DC=corp,DC=wintel,DC=mgt
changetype: add

objectClass: user
cn: a s
sn: s

displayName: a s
userAccountControl: 512

codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0

primaryGroupID: 513

accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: usera
sAMAccountType: 805306368
userPrincipalName: us...@corp.wintel.mgt

>.
>

[Dmitri Gavrilov [MSFT]]

Ok, more things to throw out. SamAccountType is owned by SAM, it is
automatically written.
Also, get rid of zero values in the user (like logonCount, lastLogon etc).
You can use "SAM logic switch" (-m? don't remember) when exporting data with
ldifde, and it will automatically strip system-owned attributes.

--
Dmitri Gavrilov
SDE, Active Directory Core

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

"zram" <zra...@aol.com> wrote in message
news:1a3201c426ee$5d0be8b0$a501...@phx.gbl...

[Richard Mueller [MVP]]

Hi,

The error message means that you are trying to assign values to attributes
that only the system can update. My guess would be the following attributes
should not have values assigned:

sAMAccountType
badPasswordTime
lastLogoff
lastLogon
logonCount

In addition, the default primary group for users is "Domain Users". This
group corresponds to primaryGroupID of 513. Since this is the default, I
assume assigning this value is unncessary. If any users are assigned a
different value, the assignment will fail unless they have first been made a
member of the corresponding group.

Finally, the value shown for accountExpires corresponds to "never". Again, I
would not assign this value. Only assign a value if it is smaller than
128000000000000000 (1.28E+17).

--
Richard
Microsoft MVP Scripting and ADSI
HilltopLab web site - http://www.rlmueller.net
--

"zram" <zra...@aol.com> wrote in message

news:1a3201c426ee$5d0be8b0$a501...@phx.gbl...

[zram]

Thank you for your help. I had to make the changes
suggested to the user for it to work. Thanks.

>.
>

[Kurt Hudson]

I've had this problem before. LDIFDE is not able to update the password for
a user object and you have a password policy assigned. You should use the
DSADD or other DS commands such as DSMOD. They have the ability to create
and update passwords.

"zram" <anon...@discussions.microsoft.com> wrote in message
news:1c5101c42708$3112e500$a301...@phx.gbl...