Error: 'Access to the attribute is not permitted because the attribute is owned by the SAM'. (NETIQKB33774)

fact
Directory and Resource Administrator 6.60

fact
Windows 2003

symptom
Error: 'Access to the attribute is not permitted because the attribute is owned by the SAM'.

symptom

Cloning any user account account in a Windows 2003 domain which has logged into the domain results in the following error message;

• Access to the attribute is not permitted because the attribute is owned by the SAM.

symptom

Assistant Admins can clone user accounts in a Windows 2003 domain which have not logged into the domain successfully.

cause
This problem occurs because Directory and Resource Administrator (DRA) attempts to clone the lastLogonTimeStamp property.  Certain properties, including the lastLogonTimeStamp property, are protected system fields and cannot be written to Active Directory.  Consequently, when an Assistant Admin attempts to clone a user account who has logged into the domain before, the above error message is received.

fix

In order to resolve this problem, please perform the following steps to prevent DRA from cloning the lastLogonTimeStamp property on the DRA server:

1. Click Start | Run and type Regedit in the 'Open:' field to launch the Registry Editor.
   
2. Select the Hkey_Local_Machine | Software | Mission Critical Software | OnePoint | Administration | Data | Modules | Accounts key.
   
3. Click New and Key from the "Edit" drop-down menu.
   
4. Enter CloneExceptions as the name of the new key and press Enter.
   
5. With the CloneExceptions key selected, click New and then String Value from the "Edit" drop-down menu.
   
6. Click Modify from the "Edit" drop-down menu.
   
7. Enter lastLogonTimeStamp as the name of the new value and press Enter.
   
8. Restart the MCS OnePoint Administrator Server service.

This issue is resolved in Directory and Resource Administrator 7.0 and later.

Formerly known as NETIQKB33774