Article ID: 276382 - Last Review: April 13, 2009 - Revision: 3.0

Access to the attribute is not permitted because the attribute is owned by the Security Accounts Manager (SAM)

View products that this article applies to.
System TipThis article applies to a different operating system than the one you are using. Article content that may not be relevant to you is disabled.
This article was previously published under Q276382

On This Page

Expand all | Collapse all

SYMPTOMS

When you try to perform an import function by using the LDAP Data Interchange Format Data Exchange (LDIFDE) tool, you may receive the following error message:
Unwilling To Perform
This problem is most likely to occur when you try to import user account data.

Information that is similar to the following may be displayed while the import is in progress:
Connecting to "server1.domain.com"
Logging in as current user using SSPI
Importing directory from file "import.ldf"
Loading entries.
Add error on line 1: Unwilling To Perform
The server side error is "Access to the attribute is not permitted
because the attribute is owned by the Security Accounts Manager (SAM)."
0 entries modified successfully.
An error has occurred in the program
Back to the top

CAUSE

This problem may occur when you try to import user data that cannot be written to Active Directory.

Data that cannot be written to Active Directory may exist when you try to import data that was originally exported by using the LDIFDE tool without a filter. An unfiltered LDIFDE export exports all data without identifying the fields that are protected and cannot be imported again.
Back to the top

RESOLUTION

To resolve this problem, run the export function with a filter. If no filter was specified, or the export function cannot be re-run, then manually edit user account data to include only those fields that may be imported.

This is an example filter that will export only required User Account data:
ldifde -f Exportuser.ldf -s <Server1> -d "dc=Export,dc=com" -p subtree 
-r "(&(objectCategory=person)(objectClass=User)(givenname=*))" 
-l "cn,givenName,objectclass,samAccountName"

This is another example filter that will export all User Account data except for the attributes that cannot be imported:
ldifde -f Exportuser.ldf -s <Server1> -d "dc=Export,dc=com" -p subtree -r 
"(&(objectCategory=person)(objectClass=User)(givenname=*))" -o "badPasswordTime,badPwdCount,lastLogoff,lastLogon,logonCount,
memberOf,objectGUID,objectSid,primaryGroupID,pwdLastSet,sAMAccountType"
Back to the top

MORE INFORMATION

The following are User Account field attributes and examples.
Back to the top

Required Fields

The following fields must be entered for each user account that is imported.
dn: objectClass: sAMAccountName:

Example user account entry with all required fields

dn: CN=user1,CN=Users,DC=domain,DC=com	
objectClass: user
sAMAccountName: user1
Back to the top

Optional fields

The following fields are optional and may be entered for each user account that is imported.
  • changetype:
  • accountExpires:
  • codePage:
  • cn:
  • countryCode:
  • displayName:
  • instanceType:
  • logonHours:
  • distinguishedName:
  • objectCategory:
  • name:
  • userAccountControl:
  • uSNChanged:
  • uSNCreated:
  • whenChanged:
  • whenCreated:
Note By default, an account is created as disabled. The setting "userAccountControl: 512" enables the newly created account. For more information userAccountControl values, click the following article number to view the article in the Microsoft Knowledge Base:
305144  (http://support.microsoft.com/kb/305144/ ) How to use the UserAccountControl flags to manipulate user account properties

Example user account entry with all required and optional fields

dn: CN=user1,CN=Users,DC=domain,DC=com
changetype: add	
accountExpires: 0
codePage: 0 
cn: zach 
countryCode: 0 	
displayName: Test User
instanceType: 4 
logonHours:: ////////////////////////////  
distinguishedName: CN=user1,CN=Users,DC=domain,DC=com 
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=com 	
objectClass: user
name: User1  
sAMAccountName: user1    
userAccountControl: 66048 
uSNChanged: 1556
uSNCreated: 1556
whenChanged: 20001012214849.0Z 
whenCreated: 20001012214849.0Z
Back to the top

User fields that cannot be imported

The following fields are protected system fields and cannot be modified through an LDIFDE import.:
  • badPasswordTime:
  • badPwdCount:
  • lastLogoff:
  • lastLogon:
  • logonCount:
  • memberOf
  • objectGUID:
  • objectSid:
  • primaryGroupID:
  • pwdLastSet:
  • sAMAccountType:
For additional information about the LDIFDE tool, click the following article number to view the article in the Microsoft Knowledge Base:
237677  (http://support.microsoft.com/kb/237677/ ) Using LDIFDE to import and export directory objects to Active Directory
Back to the top
APPLIES TO
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Server
Back to the top
Keywords: 
kberrmsg kbprb KB276382
Back to the top