Access to the attribute is not permitted because the attribute is owned by the Security Accounts Manager (SAM) (276382)

SYMPTOMS

When you try to perform an import function by using the LDAP Data Interchange Format Data Exchange (LDIFDE) tool, you may receive the following error message:

Unwilling To Perform

This problem is most likely to occur when you try to import user account data.

Information that is similar to the following may be displayed while the import is in progress:

Connecting to "server1.domain.com"
Logging in as current user using SSPI
Importing directory from file "import.ldf"
Loading entries.
Add error on line 1: Unwilling To Perform
The server side error is "Access to the attribute is not permitted
because the attribute is owned by the Security Accounts Manager (SAM)."
0 entries modified successfully.
An error has occurred in the program

RESOLUTION

To resolve this problem, run the export function with a filter. If no filter was specified, or the export function cannot be re-run, then manually edit user account data to include only those fields that may be imported.

This is an example filter that will export only required User Account data:

ldifde -f Exportuser.ldf -s <Server1> -d "dc=Export,dc=com" -p subtree 
-r "(&(objectCategory=person)(objectClass=User)(givenname=*))" 
-l "cn,givenName,objectclass,samAccountName"

This is another example filter that will export all User Account data except for the attributes that cannot be imported:

ldifde -f Exportuser.ldf -s <Server1> -d "dc=Export,dc=com" -p subtree -r 
"(&(objectCategory=person)(objectClass=User)(givenname=*))" -o "badPasswordTime,badPwdCount,lastLogoff,lastLogon,logonCount,
memberOf,objectGUID,objectSid,primaryGroupID,pwdLastSet,sAMAccountType"

MORE INFORMATION

The following are User Account field attributes and examples.

Required Fields

The following fields must be entered for each user account that is imported.
dn: objectClass: sAMAccountName:

Example user account entry with all required fields

dn: CN=user1,CN=Users,DC=domain,DC=com	
objectClass: user
sAMAccountName: user1

Optional fields

The following fields are optional and may be entered for each user account that is imported.

changetype:
accountExpires:
codePage:
cn:
countryCode:
displayName:
instanceType:
logonHours:
distinguishedName:
objectCategory:
name:
userAccountControl:
uSNChanged:
uSNCreated:
whenChanged:
whenCreated:

Note Using the setting "userAccountControl: 66048" enables the newly created account. By default, an account is created disabled.

Example user account entry with all required and optional fields

dn: CN=user1,CN=Users,DC=domain,DC=com
changetype: add	
accountExpires: 0
codePage: 0 
cn: zach 
countryCode: 0 	
displayName: Test User
instanceType: 4 
logonHours:: ////////////////////////////  
distinguishedName: CN=user1,CN=Users,DC=domain,DC=com 
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=com 	
objectClass: user
name: User1  
sAMAccountName: user1    
userAccountControl: 66048 
uSNChanged: 1556
uSNCreated: 1556
whenChanged: 20001012214849.0Z 
whenCreated: 20001012214849.0Z

User fields that cannot be imported

The following fields are protected system fields and cannot be modified through an LDIFDE import.:

badPasswordTime:
badPwdCount:
lastLogoff:
lastLogon:
logonCount:
memberOf
objectGUID:
objectSid:
primaryGroupID:
pwdLastSet:
sAMAccountType:

For additional information about the LDIFDE tool, click the following article number to view the article in the Microsoft Knowledge Base:

237677 Using LDIFDE to import and export directory objects to Active Directory

For additional information, visit the following Microsoft Web site:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wss/wss/sgw_install_ldifde.asp