dsMoveObj error 1068
Question:
Script is supposed to move a Domain account to another domain, but fails with :
1608: The server is unwilling to perform operation.
moveval = dsMoveObj(fullpporgname, newmmcfou , StrCat("cn=",netName))
I put the netName in there, because I saw another fellow having trouble unless he had the CN= in the third parameter..
didn;t help me though..
I'm throwing up a message boox pprior to the move, to show the syntax, and it looks fine to me.
I'm domain admin on both domains..
I can run the admt utility & move the user...So, rights shouldn't play into it.
Answer:
The following restrictions apply to cross domain moves: (from MSFT documentation)
- The destination domain must be in the native mode.
- Objects to be moved must be a leaf object or an empty container.
- NT LAN Manager (NTLM) cannot perform authentication; use Kerberos authentication or delegation. Be aware that if Kerberos authentication is not used, the password transmits in plaintext over the network. To avoid this, use delegation with secure authentication.
- You cannot move security principals (for example, user, group, computer, and so on) belonging to a global group.
You will also likely need to bitwise 'or' the value 256 (ADS_USE_DELEGATION) to the third parameter of the dsSetCredentX function when setting credentials for the move attempt. Again from MSFT documenation - "you must use the ADS_USE_DELEGATION flag of the ADS_AUTHENTICATION_ENUM ... in order to create cross-domain moves"
Article ID: W16799
File Created: 2007:07:03:14:26:18
Last Updated: 2007:07:03:14:26:18