Tuesday, June 12, 2012

LDAP - Error - Unwilling To Perform

Problem:
System throws below error-01 when try to execute command-01.

Error-01:

Unwilling To Perform
The server side error is "The modification was not permitted for security reasons."
0 entries modified successfully.
An error has occurred in the program

Command-01:
ldifde /i /f schema.ldf /v /k /c "DC=development,DC=nyc" "dc=sso,dc=test,dc=com"

Cause:
1. This problem may occur when try to import data that cannot be written to Active Directory

Solution:
1. Import data from Active Directory using filter and specify only those fields which are needed
Command-02: include fields using '/l field1,field2'
ldifde /f schema.ldf /v /l field1,field2

Command-03: exclude fields using '/o field1,field2'
ldifde /i /f schema.ldf /v /o field1,field2

2. Import data from Active Directory using parameter "/n" which will exclude all the binary fields
Command-04: 
ldifde /i /f schema.ldf /v /n

Notes:
  1. To get more detail information about the error, below command can be used
    Command-05: 
    ldifde /i /f schema.ldf /v /k /c "DC= development,DC=nyc"  "dc=sso,dc=test,dc=com"  /j c:\ldiflog\
    'c:\ldiflog' folder has to exist

  2. Few fields are required in Active Directory
    1. distinguishedName or dn
    2. objectclass
    3. sAMAccountName
  3. Few fields are optionalchangetype, accountExpires, codePage, cn, countryCode, displayName, instanceType, logonHours, distinguishedName, objectCategory, name, userAccountControl, uSNChanged, uSNCreated, whenChanged, whenCreated
  4. Few fields cannot be imported
    badPasswordTime, badPwdCount, lastLogoff, lastLogon, logonCount, memberOf, objectGUID, objectSid, primaryGroupID, pwdLastSet, sAMAccountType

Resources:
1. http://support.microsoft.com/kb/276382
2. http://support.microsoft.com/kb/237677