Groups keyboard shortcuts have been updated
Dismiss
See shortcuts

Can't extend one AD user object

24 views
Skip to first unread message

Max DiOrio

unread,
Mar 12, 2024, 6:47:37 AM3/12/24
to RCDevs Security
So far, every user I have extended with the WebADM Account to activate them has worked.

I have one account that is giving an error.  That account is in the same OU as the others that are working.

[Admin:HYKYUJNI] Could not modify LDAP object 'CN=Last\, First,OU=HQ,OU=Users,OU=Accounts,DC=internal,DC=domain,DC=com' (0000207D: UpdErr: DSID-03151BA4, problem 6002 (OBJ_CLASS_VIOLATION), data 592153)

There were a few minor differences between the two accounts regarding data in attributes, but I cleared the ones I thought would be an issue.  The same mandatory attributes exist for a successful extension and the issue account.

Is there a way to debug this further to see which field it is having an issue with? 

Yoann Traut (RCDevs)

unread,
Mar 12, 2024, 7:29:03 AM3/12/24
to RCDevs Security
Hello, 

What if you try to add the objectClass from AD Users and Computers console on that object? 

Regards

Max DiOrio

unread,
Mar 13, 2024, 11:47:34 AM3/13/24
to RCDevs Security
Hi Yoann,

Given this question took several weeks to be posted, I ended up figuring it out.

I had to compare the attributes between a working account and the non-working account and discovered the only difference was the following attribute set on the non-working one:  msDS-keycredentiallink

It's odd because I've never set up key pairs that I remember that would utilize this attribute.  After clearing the attribute, I was able to extend the account without issue.

Thanks.

Yoann Traut (RCDevs)

unread,
Mar 13, 2024, 11:56:53 AM3/13/24
to RCDevs Security
Hello, 

Thank you for your feedback.
To be honest I don't know why that attribut cause an objectClass violation when you try to activate the account... According to information I'm reading from MS documentation, it should not be a problem... 
"The msDS-KeyCredentialLink (aka. “kcl”) attribute can be used to link an RSA key pair with a computer or user object in order to authenticate with said key pair against the KDC to receive a Kerberos TGT. So the kcl is in fact a set of alternate credentials that works alongside username/password"

I have another customer with a similar issue on a specific account, I will check with him if that attribut is available on the account he is facing the problem.

Regards
Reply all
Reply to author
Forward
0 new messages