Move a user to a child domain with ADSI MoveHere: the server is unwilling to process the request.

When trying to move a user to a child domain with ADSI following script (saved in a .vbs file):
set objOU= GetObject("LDAP://ou=users,ou=zurich,dc=ch,dc=group,dc=local")
objOU.MoveHere "LDAP://cn=ZeZS,ou=users,ou=Zurich,ou=Stonehage,dc=group,dc=local", "cn=ZeZS"
I get the following error message: (line2, char1)
Error: the server is unwilling to process the request.
Code: 80072035
We are on 2003 native, the user is not belonging to any Global Group; made it member ot a dummy "TRANSFERT" group, set as primary group. Tried both with TRANSFERT being Universal or Domain Local groups.
If I change the cn=ZeZS, it tells me it does not find the user, hence proving that the typing is correct, the user is found, but ADSI refuses to move it.
I launch the vbs from a DC in the top domain, with an admin account which is member of Enterprise Admins.
Can someone help quickly, as my time to fix it is very very short, and if not successfull, I'll have to delete users and create them manually in the child domain. Marc
stonehageAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Chris DentPowerShell DeveloperCommented:

You can't use MoveHere I'm afraid, that only works within a domain as far as I know.

You can use the command line tool MoveTree tool that comes with the Support Tools. You will have to strip all group memberships from the account (except Domain Users).

Chris
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
stonehageAuthor Commented:
http://www.microsoft.com/technet/scriptcenter/guide/sas_usr_aznz.mspx?mfr=true says:

Preparing a User Account for a Cross-Domain Move
Moving user accounts to other domains within the same forest is possible when the following conditions are met:

• The destination domain is running in native mode.
 
• Both the destination and the source domain use Kerberos authentication.
 
• The move operation must be completed from the source domain to the destination, or target, domain. If you attempt to move a user while logged on to the destination domain, the following message will appear:

(null): Inappropriate authentication

To move a user from one domain to another, you must have permission to remove a user from the source domain and add a user to the target domain. For example, a user with administrator credentials in a root domain can move a user to a child domain because the user is a member of the Enterprise Admins group. However, a user with administrator credentials in a child domain cannot move a user to a parent domain because the user does not have permission, by default, to add user accounts to the parent domain.
....
If you need to move an OU or another container (and all of the objects within the container) to a different domain in the forest, use the Movetree.exe command-line tool

IN MY CASE, it is a user, not a OU I want to move.

NOW, I'm ready to create a dummy OU and test MoveTree, despited it is in one unique tree. What is the syntax?
movetree /? gives many information, but I am in production and cannot risk to do it wrong.
Should I do a /check first, and how am I sure it will do what I want when doing the /start?
Marc
0
stonehageAuthor Commented:
The MoveTree with the /verbose is very talkative. That permitted to point out that oru source DS was not having sufficient rights, and changing to another and using the MoveTree on a floder was successfull. Being able to do a /check /verbose fist and look at the details is very helpfull. When ready, we replaced the /check with a /start. Marc
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.