Solved

Move a user to a child domain with ADSI MoveHere: the server is unwilling to process the request.

Posted on 2007-03-30
3
802 Views
Last Modified: 2012-08-13
When trying to move a user to a child domain with ADSI following script (saved in a .vbs file):
set objOU= GetObject("LDAP://ou=users,ou=zurich,dc=ch,dc=group,dc=local")
objOU.MoveHere "LDAP://cn=ZeZS,ou=users,ou=Zurich,ou=Stonehage,dc=group,dc=local", "cn=ZeZS"
I get the following error message: (line2, char1)
Error: the server is unwilling to process the request.
Code: 80072035
We are on 2003 native, the user is not belonging to any Global Group; made it member ot a dummy "TRANSFERT" group, set as primary group. Tried both with TRANSFERT being Universal or Domain Local groups.
If I change the cn=ZeZS, it tells me it does not find the user, hence proving that the typing is correct, the user is found, but ADSI refuses to move it.
I launch the vbs from a DC in the top domain, with an admin account which is member of Enterprise Admins.
Can someone help quickly, as my time to fix it is very very short, and if not successfull, I'll have to delete users and create them manually in the child domain. Marc
0
Comment
Question by:stonehage
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 71

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 18822409

You can't use MoveHere I'm afraid, that only works within a domain as far as I know.

You can use the command line tool MoveTree tool that comes with the Support Tools. You will have to strip all group memberships from the account (except Domain Users).

Chris
0
 

Author Comment

by:stonehage
ID: 18823072
http://www.microsoft.com/technet/scriptcenter/guide/sas_usr_aznz.mspx?mfr=true says:

Preparing a User Account for a Cross-Domain Move
Moving user accounts to other domains within the same forest is possible when the following conditions are met:

• The destination domain is running in native mode.
 
• Both the destination and the source domain use Kerberos authentication.
 
• The move operation must be completed from the source domain to the destination, or target, domain. If you attempt to move a user while logged on to the destination domain, the following message will appear:

(null): Inappropriate authentication

To move a user from one domain to another, you must have permission to remove a user from the source domain and add a user to the target domain. For example, a user with administrator credentials in a root domain can move a user to a child domain because the user is a member of the Enterprise Admins group. However, a user with administrator credentials in a child domain cannot move a user to a parent domain because the user does not have permission, by default, to add user accounts to the parent domain.
....
If you need to move an OU or another container (and all of the objects within the container) to a different domain in the forest, use the Movetree.exe command-line tool

IN MY CASE, it is a user, not a OU I want to move.

NOW, I'm ready to create a dummy OU and test MoveTree, despited it is in one unique tree. What is the syntax?
movetree /? gives many information, but I am in production and cannot risk to do it wrong.
Should I do a /check first, and how am I sure it will do what I want when doing the /start?
Marc
0
 

Author Comment

by:stonehage
ID: 19014069
The MoveTree with the /verbose is very talkative. That permitted to point out that oru source DS was not having sufficient rights, and changing to another and using the MoveTree on a floder was successfull. Being able to do a /check /verbose fist and look at the details is very helpfull. When ready, we replaced the /check with a /start. Marc
0

Featured Post

Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question