Error When Executing the MoveHere Method of an IADSContainer Object (326978)


The information in this article applies to:

  • Microsoft Active Directory Services Interface, System Component
  • Microsoft Active Directory Services Interface, Microsoft Active Directory Client
This article was previously published under Q326978

SYMPTOMS

When you run the MoveHere method of the IADsContainer object, you may receive the following error message:
The server is unwilling to process the request. 0x80072035

CAUSE

You receive this error when you try to move a user object that is a member of a global group from a parent domain to a child domain. Global groups can only contain members from the domain where the global group was made.

RESOLUTION

Remove the user from all global groups except the user's primary group. In this way, you can move the user from the child domain to the parent domain.

The user's old security identifier (SID) is added to the new user object's SidHistory attribute, and the user is given a new SID. Additionally, by default, the user's primary group is set to the parent domain's Domain Users group, and the password of the object is preserved.

STATUS

This behavior is by design.

MORE INFORMATION

You may also receive this error message if you try to add a global group with security group type in the same kind of global group in Pre-Windows 2000 mode of your domain. You can successfully add a global group in native mode domain of this group.

This is by design.

Domain must be in native mode to use the following Windows 2000 group features:
  • Universal security groups. Universal groups are a new type of group that you can create and use in any domain in the forest.
  • Nesting security groups.
  • Conversion of groups. Mixed mode supports all types of distribution groups (including Universal) and nesting of distribution groups. It is best that you use mixed mode only to support Windows NT 4.0 domain controllers during the migration process. A domain tree or forest can contain both mixed-mode and native-mode domains.

    Before you create or convert groups that require native mode, have your application check the operation mode of the domain.
  • Nesting In Windows 2000, groups can contain other groups. This is called nesting. Nesting is supported only for distribution groups in domains running in mixed mode. A domain must be in native mode to nest security groups (as well as distribution groups).

Steps to Reproduce the Behavior

This example assumes that you are moving a user object from a child domain to the parent domain, and is reproduced in the following steps:
  1. Create a user object, and make the user a member of a global group.
  2. Run the following VBScript code:
    Set objconn = GetObject("LDAP:")
   Set objcont = objconn.OpenDSObject("LDAP://CN=Users,DC=parentdom,DC=domain,DC=com", "domain\user", "password", &H1 Or &H100)
   objcont.MoveHere "LDAP://dcmachine.childdom.parentdom.domain.com/CN=My User,CN=users,DC=childdom,DC=parentdom,DC=domain,DC=com", "CN=My User"
   msgbox "Done"
You can expect to receive the error message that is mentioned in "Symptoms".

REFERENCES

For more information about group scoping, visit the following MSDN Web sites:

Scope of Groups
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/ad/scope_of_groups.asp

Changing a Group's Scope or Type
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/ad/changing_a_groupampaposs_scope_or_type.asp

Modification Type:MajorLast Reviewed:2/12/2004
Keywords:kbDSWADSI2003Swept kbprb KB326978 kbAudDeveloper
©2004 Microsoft Corporation. All rights reserved.