Powershell – instanceType attribute in Active Directory

active-directoryattributespowershelluser-management

I need to change the instanceType attribute of a service account. If I try to change it from Active Directory Users and Computers console it's greyed out and if I try to change it via powershell with Set-Aduser i get "The attribute cannot be modified because it is owned by the system".

Anyone has any ideea on how can I change the instanceType attribute from 4 to 0 ?

Best Answer

As you've found, the instanceType attribute is marked "system-only", since you could potentially mess with the replication state of the directory replica in which you modify this attribute.

You probably shouldn't be doing this!

To circumvent this protection, add the following registry value on a Domain Controller:

Key:   HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
Name:  "Allow System Only Change"
Type:  DWORD
Value: 0x1

You could use PowerShell for this:

Set-ItemProperty HKLM:\System\CurrentControlSet\Services\NTDS\Parameters -Name "Allow System Only Change" -Value 1

Now you can modify the value of instanceType attributes on that DC. Either connect to that specific DC with LDP.exe/dsa.msc, or use the -Server parameter with the Active Directory module cmdlets.

Remember to remove the registry key after making your changes.

Related Solutions

Active directory password change cannot find the file specified

This error can sometimes be solved by clearing the active directory userParameters property. To edit this you will need adsiedit, which is available in the support tools package, which if its not installed is located at \support\tools\supptools.msi of SBS disk 2

Click on Start > Run and type adsiedit.msc
Expand the Domain node
Expand DC=
Find and Right Click on the User object and click on Properties
Check the box to "Show mandatory attributes"
Click the box to "Show optional attributes"
In the Attributes field, click on the userParameters attribute
Click on the Edit button
Click the Clear button and then click OK

Be careful when using adsiedit as you are editing Active Directory

If this does not solve the issue, another thing you can try is to check that all FSMO roles are held by this server. They should be as its an SBS server, but its worth checking. If you are unsure you can always seize the roles.

What do the “Read personal information” and “Write personal information” Active Directory permissions entail

According to this article, those permissions affect these attributes:

streetAddress

homePostalAddress

assistant

info

country/region name

facsimileTelephoneNumber (fax number)

International-ISDN-Number

Locality-Name

MSMQ-Digests

mSMQSignCertificates

Personal-Title

Phone-Fax-Other

Phone-Home-Other

Phone-Home-Primary

otherIpPhone

ipPhonenumber

primaryInternationalISDNNumber Phone-ISDN-Primary

Phone-Mobile-Other (otherMobile)

Phone-Mobile-Primary

Phone-Office-Other (otherTelephone)

Phone-Pager-Other

Phone-Pager-Primary

physicalDeliveryOfficeName

thumbnailPhoto (Picture)

postalCode

preferredDeliveryMethod

registeredAddress

State-Or-Province-Name

Street-Address

telephoneNumber

teletexTerminalIdentifier

telexNumber

primaryTelexNumber

userCert

User-Shared-Folder

User-Shared-Folder-Other

userSMIMECertificate

x121Address

X509-Cert

The user's name is not included in this list, so those aren't the proper permissions to grant. "General Information" is the category you'll find the name under.

Best Answer

You probably shouldn't be doing this!

Related Solutions

Active directory password change cannot find the file specified

What do the “Read personal information” and “Write personal information” Active Directory permissions entail

Related Topic