Share via

3.1.1.5.3.6 wellKnownObjects Updates

  • Article

In AD DS, when a wellKnownObjects value is modified by an originating update, the following additional constraints apply. These constraints are not enforced for replicated updates.

  • The update is performed on the PDC FSMO; otherwise referral / ERROR_DS_REFERRAL is returned.

  • The update is on the domain NC root object; otherwise, unwillingToPerform / ERROR_DS_UNWILLING_TO_PERFORM is returned.

  • The domain functional level is at least DS_BEHAVIOR_WIN2003; otherwise unwillingToPerform / ERROR_DS_NOT_SUPPORTED is returned.

  • Only the Users and Computers container wellKnownObjects references can be updated. This corresponds to the GUID_USERS_CONTAINER_W and GUID_COMPUTERS_CONTAINER_W well-known object (WKO) GUIDs, respectively; otherwise, unwillingToPerform / ERROR_DS_UNWILLING_TO_PERFORM is returned.

  • Only add-value and remove-value LDAP verbs are supported; otherwise, unwillingToPerform / ERROR_DS_UNWILLING_TO_PERFORM is returned.

  • If the DC functional level is DS_BEHAVIOR_WIN2008 or greater, then the object named by the new value MUST satisfy the possSuperiors schema constraint for the objectClass corresponding to the WKO reference being updated. For example, if the wellKnownObjects reference corresponding to the GUID_USERS_CONTAINER_W WKO GUID is updated, then it MUST be possible to create user objects as children of the object named by the new value. If this constraint is not satisfied, the server returns unwillingToPerform / ERROR_DS_ILLEGAL_SUPERIOR.

  • The added value does not reside in the container identified by the DN of "CN=System,<domain NC DN>"; otherwise, unwillingToPerform / ERROR_DS_DISALLOWED_IN_SYSTEM_CONTAINER is returned.

  • The object named by the new value MUST NOT have the following bits set in its systemFlags value: FLAG_DISALLOW_DELETE, FLAG_DOMAIN_DISALLOW_RENAME or FLAG_DOMAIN_DISALLOW_MOVE; otherwise unwillingToPerform / ERROR_DS_WKO_CONTAINER_CANNOT_BE_SPECIAL MUST be returned.

  • The removed value matches the corresponding existing value of the WKO reference. If not, then unwillingToPerform / ERROR_DS_UNWILLING_TO_PERFORM is returned.

Processing specifics:

  • The following bits MUST be set in the systemFlags of the new container: FLAG_DISALLOW_DELETE, FLAG_DOMAIN_DISALLOW_RENAME and FLAG_DOMAIN_DISALLOW_MOVE.

  • The following bits MUST be reset in the systemFlags of the old container: FLAG_DISALLOW_DELETE, FLAG_DOMAIN_DISALLOW_RENAME and FLAG_DOMAIN_DISALLOW_MOVE.

  • isCriticalSystemObject MUST be set to TRUE on the new container.

  • isCriticalSystemObject MUST be set to FALSE on the old container.