Resolution
Directory and Resource Administrator 6.x
symptom
Error: 'Unable to perform this operation because of company policy.' when creating a user account in Directory and Resouce Administrator.
symptom
When creating a new user account in a domain managed by Directory and Resouce Administrator (DRA), the following error message is returned even though there are no other user accounts with the same logon name in the managed domain.:
Unable to perform this operation because of company policy.
<Userid> is not a unique sAMAccountName in the set of known domains.
cause
If the logon account being created already exists in a trusted domain, the error message will be returned. This is due to the $NameUniquenessPolicy, which is enabled within DRA by default.
fix
Search for an account with that logon account name in any trusted domains. If an account with the same logon name already exists in a trusted domain, choose a different name for the new account to be created in the managed domain.
Alternatively, the $NameUniquenessPolicy can be disabled from the Directory and Resource Administrator (DRA) MMC interface by performing the following steps:
Launch the MMC interface while logged on as an Assistant Admin with, at minimum, the Built-in Policy Role.
Expand the Policy and automation management snap-in node and select Policy.
Highlight the $NameUniquenessPolicy and select either Disable or Delete from the menu.
In DRA 6.40 and later, both Disable and Delete are available. In DRA 6.30 SP1 and earlier, Disable is not an available menu option,leaving deletion of the policy as the only option.
While deletion of the built-in policy is not a recommended solution, a deleted policy can be restored by clicking New from within the Policy snap-in and selecting the policy from the list.
Note
The error message is configurable within DRA, so the text of the error may vary.
Note
In DRA 6.4 and later, the $NameUniquenessPolicy can be configured to not apply against trusted domains. This can be done by disabling the policy. When the policy is disabled, name uniqueness will still be enforced by Windows NT/2000 in the managed domain where the user account is created.