Microsoft KB Archive/326978

= Error When Executing the MoveHere Method of an IADSContainer Object =

Article ID: 326978

Article Last Modified on 2/12/2004

-

APPLIES TO


 * Microsoft Active Directory Service Interfaces 2.5
 * Microsoft Active Directory Service Interfaces 2.5

-



This article was previously published under Q326978



SYMPTOMS
When you run the MoveHere method of the IADsContainer object, you may receive the following error message:

The server is unwilling to process the request. 0x80072035



CAUSE
You receive this error when you try to move a user object that is a member of a global group from a parent domain to a child domain. Global groups can only contain members from the domain where the global group was made.



RESOLUTION
Remove the user from all global groups except the user's primary group. In this way, you can move the user from the child domain to the parent domain.

The user's old security identifier (SID) is added to the new user object's SidHistory attribute, and the user is given a new SID. Additionally, by default, the user's primary group is set to the parent domain's Domain Users group, and the password of the object is preserved.



STATUS
This behavior is by design.



MORE INFORMATION
You may also receive this error message if you try to add a global group with security group type in the same kind of global group in Pre-Windows 2000 mode of your domain. You can successfully add a global group in native mode domain of this group.

This is by design.

Domain must be in native mode to use the following Windows 2000 group features:
 * Universal security groups. Universal groups are a new type of group that you can create and use in any domain in the forest.
 * Nesting security groups.
 * Conversion of groups. Mixed mode supports all types of distribution groups (including Universal) and nesting of distribution groups. It is best that you use mixed mode only to support Windows NT 4.0 domain controllers during the migration process. A domain tree or forest can contain both mixed-mode and native-mode domains.

Before you create or convert groups that require native mode, have your application check the operation mode of the domain.
 * Nesting In Windows 2000, groups can contain other groups. This is called nesting. Nesting is supported only for distribution groups in domains running in mixed mode. A domain must be in native mode to nest security groups (as well as distribution groups).

Steps to Reproduce the Behavior
This example assumes that you are moving a user object from a child domain to the parent domain, and is reproduced in the following steps:  Create a user object, and make the user a member of a global group.  Run the following VBScript code: Set objconn = GetObject(&quot;LDAP:&quot;) Set objcont = objconn.OpenDSObject(&quot;LDAP://CN=Users,DC=parentdom,DC=domain,DC=com&quot;, &quot;domain\user&quot;, &quot;password&quot;, &H1 Or &H100) objcont.MoveHere &quot;LDAP://dcmachine.childdom.parentdom.domain.com/CN=My User,CN=users,DC=childdom,DC=parentdom,DC=domain,DC=com&quot;, &quot;CN=My User&quot; msgbox &quot;Done&quot; 

You can expect to receive the error message that is mentioned in &quot;Symptoms&quot;.

