3.1.1.5.3.2 Constraints
The following constraints are enforced for a modify operation performed as an originating update. These constraints are not enforced for replicated updates.
The object resides in a writable NC replica; otherwise the modify returns referral / ERROR_DS_REFERRAL.
In AD DS, if the object being modified is in the config NC or schema NC, and the RM control ([MS-DTYP] section 2.4.6) of the SD is present and contains the SECURITY_PRIVATE_OBJECT bit (section 6.1.3), the DC requires one of the following two conditions to be TRUE:
The DC is a member of the root domain in the forest.
The DC is a member of the same domain to which the current object owner belongs.
If neither condition is TRUE, the modify returns referral / ERROR_DS_REFERRAL.
If a LostAndFound container is being modified, the modify returns unwillingToPerform / ERROR_DS_ILLEGAL_MOD_OPERATION.
If the fschemaUpgradeInProgress field is FALSE on the LDAPConnection instance in dc.ldapConnections ([MS-DRSR] section 5.116) corresponding to the LDAP connection on which the operation is being performed and the object being modified has class subSchema, then only nTSecurityDescriptor modifications are allowed; otherwise, unwillingToPerform / ERROR_DS_ILLEGAL_MOD_OPERATION is returned.
Modifying an object with isDeleted = TRUE is allowed only if one of the following conditions is TRUE:
The Recycle Bin optional feature is not enabled and the operation is an undelete operation. Note that the undelete operation is a special case of the modify operation. See section 3.1.1.9.1 for more details on the Recycle Bin optional feature. See section 3.1.1.5.3.7 for more details on the undelete operation.
The Recycle Bin optional feature is enabled, the object does not have isRecycled = TRUE, and the operation is an undelete operation. Note that the undelete operation is a special case of the modify operation. See section 3.1.1.9.1 for more details on the Recycle Bin optional feature. See section 3.1.1.5.3.7 for more details on the undelete operation.
The object being modified is the Deleted Objects container (section 6.1.1.4.2).
The DC functional level is DS_BEHAVIOR_WIN2008R2 or higher, the modification only affects the nTSecurityDescriptor attribute, and the requester has the Reanimate-Tombstones control access right on the NC root of the object's NC.
Any other modifications of these objects fail with unwillingToPerform / ERROR_DS_ILLEGAL_MOD_OPERATION.
In AD DS, modifications to objects of LSA-specific object classes (section 3.1.1.5.2.3) fail with unwillingToPerform / ERROR_DS_ILLEGAL_MOD_OPERATION.
It is disallowed to modify constructed attributes, with the exception of the entryTTL attribute. Such modifications fail with undefinedAttributeType / ERROR_DS_ATT_NOT_DEF_IN_SCHEMA if the DC functional level is DS_BEHAVIOR_WIN2000, and constraintViolation / ERROR_DS_CONSTRUCTED_ATT_MOD if the DC functional level is DS_BEHAVIOR_WIN2003 or greater.
Updates to the name attribute, as well as updates to the object's naming attribute (the attribute named by the rdnType attribute), are disallowed and modification will return notAllowedOnRDN / ERROR_DS_CANT_MOD_SYSTEM_ONLY. Modify DN performs these updates.
A modify of an object whose objectClass is defunct fails with objectClassViolation / ERROR_DS_OBJECT_CLASS_REQUIRED.
If the forest functional level is less than DS_BEHAVIOR_WIN2003, a modify is allowed to remove all values of a defunct attribute. Any other modification that references a defunct attribute fails with undefinedAttributeType / ERROR_DS_ATT_NOT_DEF_IN_SCHEMA.
If the forest functional level is greater than or equal to DS_BEHAVIOR_WIN2003, a modify that references a defunct attribute fails with noSuchAttribute / ERROR_INVALID_PARAMETER.
If the fschemaUpgradeInProgress field is FALSE on the LDAPConnection instance in dc.ldapConnections ([MS-DRSR] section 5.116) corresponding to the LDAP connection on which the operation is being performed, objectCategory modifications on classSchema objects that have FLAG_SCHEMA_BASE_OBJECT present in systemFlags fail with unwillingToPerform / ERROR_DS_ILLEGAL_MOD_OPERATION.
If the domain functional level is less than DS_BEHAVIOR_WIN2003, then modifications of msDS-AdditionalDnsHostName fail with unwillingToPerform / ERROR_DS_NOT_SUPPORTED.
If the DC functional level is DS_BEHAVIOR_WIN2003 or greater and the msDS-UpdateScript attribute is being modified:
IsEffectiveRoleOwner(RoleObject(default NC, RidAllocationMaster)) = TRUE. Otherwise, the server returns error unwillingToPerform / ERROR_DS_ILLEGAL_MOD_OPERATION.
The connection is encrypted with at least 128-bit cipher. If the connection is not encrypted with at least 128-bit cipher, then unwillingToPerform / ERROR_DS_CONFIDENTIALITY_REQUIRED is returned.
The msDS-UpdateScript attribute is for server-to-server replication implementation only; the client does not interpret it. This attribute MAY have meaning to applicable Windows Server releases, but the meaning is not significant to Windows clients.
If the dSHeuristics attribute is being modified, the new value MUST satisfy the following constraints:
If the length of the value is 10 or more characters, then the tenth character MUST be "1";
If the length of the value is 20 or more characters, then the twentieth character MUST be "2";
If the length of the value is 30 or more characters, then the thirtieth character MUST be "3";
The same for "4" through "9".
When this constraint is violated, the error returned depends on the DC functional level. If the DC functional level is DS_BEHAVIOR_WIN2000, no error is returned. If the DC functional level is DS_BEHAVIOR_WIN2003 or greater, then constraintViolation / ERROR_DS_CONSTRAINT_VIOLATION is returned.
If the DC functional level is DS_BEHAVIOR_WIN2003 or greater and the nTMixedDomain attribute is modified, then the object being modified is the domain NC root. Modification of nTMixedDomain on any other object fails with unwillingToPerform / ERROR_DS_ILLEGAL_MOD_OPERATION.
If the servicePrincipalName attribute is modified, then the values MUST be syntactically valid SPN (2) values (note that additional constraints might apply if the requester did not have WRITE_PROPERTY access to the attribute; see the preceding Validated Writes section 3.1.1.5.3.1.1). Otherwise, constraintViolation / ERROR_DS_NAME_REFERENCE_INVALID is returned. See section 5.1.1.4, Mutual Authentication, for SPN (2) syntax.
If the servicePrincipalName or userPrincipalName attribute is modified, the values MUST meet the constraints specified in section 3.1.1.5.1.3.
If the fSMORoleOwner attribute is modified, then the only allowed attribute value is the DN of the DSA object of the current DC; for all other values, unwillingToPerform / ERROR_DS_INVALID_ROLE_OWNER is returned. In other words, the FSMO role can only be "taken" or transferred to the current DC. It cannot be given away.
System-only attribute modifications (including the case of adding an auxiliary class with a must-have system-only attribute) are disallowed, as well as modifications of all back link attributes; with the following exceptions:
If the fschemaUpgradeInProgress field is TRUE on the LDAPConnection instance in dc.ldapConnections ([MS-DRSR] section 5.116) corresponding to the LDAP connection on which the operation is being performed.
If the DC functional level is DS_BEHAVIOR_WIN2003 or greater, then modifications of the objectClass attribute are permitted, subject to additional constraints (section 3.1.1.5.3.5).
If the DC functional level is DS_BEHAVIOR_WIN2003 or greater, then modifications of msDS-Behavior-Version are permitted, subject to additional constraints (section 3.1.1.5.3.4).
Modifications of msDS-AdditionalDnsHostName are permitted.
Modifications of systemFlags are permitted only in the following case: the modify is on an attributeSchema object in the schema container, and the change is to set (but not reset) the FLAG_ATTR_IS_RDN bit.
Modifications of wellKnownObjects are permitted, subject to additional constraints. See section 3.1.1.5.3.6, wellKnownObjects Updates, for more details.
Modifications of isDeleted and distinguishedName are permitted only when the modify operation is Undelete (section 3.1.1.5.3.7).
Modifications of mAPIID are permitted, subject to the constraints described in section 3.1.1.2.3.
Otherwise constraintViolation / ERROR_DS_CANT_MOD_SYSTEM_ONLY is returned.
The following constraints are enforced if the DC functional level is DS_BEHAVIOR_WIN2003 or greater and the requester is not passing the LDAP_SERVER_PERMISSIVE_MODIFY_OID control:
Inserting duplicate values into an attribute fails with attributeOrValueExists / ERROR_DS_ATT_VAL_ALREADY_EXISTS.
A modification that removes values that are not present from an attribute fails with noSuchAttribute / ERROR_DS_CANT_REM_MISSING_ATT_VAL.
Removing an attribute that is not currently present on the object by virtue of the attribute not having any value set on it fails with noSuchAttribute / ERROR_DS_ATT_IS_NOT_ON_OBJ.
If the DC functional level is DS_BEHAVIOR_WIN2008 or greater, the following constraints are enforced on objects of class msDS-PasswordSettings:
The msDS-PasswordHistoryLength attribute is less than or equal to 1024.
The msDS-MinimumPasswordAge attribute is less than or equal to 0.
The msDS-MaximumPasswordAge attribute is less than or equal to 0.
The msDS-MaximumPasswordAge attribute is less than the value of the msDS-MinimumPasswordAge attribute on the same object after the modify would have completed.
The msDS-MinimumPasswordLength attribute is less than or equal to 256.
The msDS-LockoutDuration attribute is less than or equal to 0.
The msDS-LockoutObservationWindow attribute is less than or equal to 0.
The msDS-LockoutDuration attribute is less than or equal to the value of the msDS-LockoutObservationWindow attribute on the same object after the modify would have completed.
Otherwise, unwillingToPerform / ERROR_DS_SECURITY_ILLEGAL_MODIFY is returned.
In AD LDS, if the LDAP policy ADAMDisablePasswordPolicies does not equal 1, and a password value (either unicodePwd or userPassword) is specified in a modify, the password MUST satisfy the current password policy in effect on the AD LDS server as reported by SamrValidatePassword ([MS-SAMR] section 3.1.5.13.7). If the provided password value does not satisfy the password policy, the modify returns constraintViolation / ERROR_PASSWORD_RESTRICTION.
In AD LDS, if the fAllowPasswordOperationsOverNonSecureConnection heuristic of the dSHeuristics attribute (see section 6.1.1.2.4.1.2) is not TRUE, and a password value (either unicodePwd or userPassword) is specified in a modify, the LDAP connection MUST be encrypted with cipher strength of at least 128 bits. If the connection does not pass the test, the modify returns operationsError / ERROR_DS_ILLEGAL_MOD_OPERATION.
In AD LDS, if the userPrincipalName value is modified, then the new value MUST be unique within all NCs on this DC. If another object exists with the same userPrincipalName value, the modify returns constraintViolation / ERROR_DS_NAME_NOT_UNIQUE.
In AD LDS, if the pwdLastSet attribute is modified, then the operation MUST replace the existing value with a new value of 0 or -1. Otherwise, constraintViolation / ERROR_INVALID_PARAMETER is returned.
In AD LDS, if the lockoutTime attribute is modified, then the operation MUST replace the existing value with a new value of 0. Otherwise, constraintViolation / ERROR_INVALID_PARAMETER is returned.
In AD LDS, if the msDS-UserAccountDisabled attribute is being set to FALSE, then the operation succeeds if one of the following is TRUE:
The LDAP policy ADAMDisablePasswordPolicies equals 1.
The ms-DS-UserPasswordNotRequired attribute equals TRUE.
The current password value on the object satisfies the current password policy, as reported by SamrValidatePassword ([MS-SAMR] section 3.1.5.13.7).
If this check fails, the modify returns constraintViolation / ERROR_PASSWORD_RESTRICTION.
After the modify operation, the object MUST remain compliant with the schema as described in section 3.1.1.5.1.1.
If the object being modified is a SAM-specific object (section 3.1.1.5.2.3), then additional constraints apply (specified in [MS-SAMR] section 3.1.1.6).
If the modify operation affects the nTSecurityDescriptor attribute, then additional constraints apply (see section 6.1.3, "Security Descriptor Requirements", for more details).
If the modify operation would require delayed link processing (section 3.1.1.1.16), and such processing is already underway for the object being modified due to a previous update, then the modify returns busy / ERROR_DS_DATABASE_ERROR.
If the modify operation adds or replaces values of the description attribute on a SAM-specific object (section 3.1.1.5.2.3), and results in more than one value in the attribute, then the modification fails with attributeOrValueExists / ERROR_DS_SINGLE_VALUE_CONSTRAINT.
In AD DS, the following attributes are disallowed in a Modify for an object of class user: badPasswordTime, badPwdCount, dBCSPwd, isCriticalSystemObject, lastLogoff, lastLogon, lastLogonTimestamp, lmPwdHistory, logonCount, memberOf, msDS-User-Account-Control-Computed, ntPwdHistory, objectSid, rid, sAMAccountType, and supplementalCredentials. If one of these attributes is specified in a Modify, the Modify returns unwillingToPerform / ERROR_DS_ATTRIBUTE_OWNED_BY_SAM.
In AD DS, the following attributes are disallowed in a Modify for an object of class group: isCriticalSystemObject, memberOf, objectSid, rid, sAMAccountType, and userPassword. If one of these attributes is specified in a Modify, the Modify returns unwillingToPerform / ERROR_DS_ATTRIBUTE_OWNED_BY_SAM.
In AD DS, the following attributes are disallowed in a Modify for an object whose class is not a SAM-specific object class (see 3.1.1.5.2.3): isCriticalSystemObject, lmPwdHistory, ntPwdHistory, objectSid, samAccountName, sAMAccountType, supplementalCredentials, and unicodePwd. If one of these attributes is specified in a Modify, the Modify returns unwillingToPerform / ERROR_DS_ILLEGAL_MOD_OPERATION.