2

I need to change the instanceType attribute of a service account. If I try to change it from Active Directory Users and Computers console it's greyed out and if I try to change it via powershell with Set-Aduser i get "The attribute cannot be modified because it is owned by the system".

Anyone has any ideea on how can I change the instanceType attribute from 4 to 0 ?

Cranta Ionut
  • 179
  • 3
  • 4
  • 12
  • Yes, there is an (unsupported) way of doing this, but `instanceType` is not the type of attribute value you would normally change, for any reason. What are you trying to accomplish? – Mathias R. Jessen Jan 11 '16 at 13:49
  • I'm going to guess that OP is trying to make the user account read-only? – Ryan Ries Jan 11 '16 at 14:00
  • 1
    This was only a task I was supposed to do and stumbled upon this error. I found several ways on how to change it but most of them said just what Mathias R. Jessen said, that i shouldn't be doing this. – Cranta Ionut Jan 11 '16 at 14:31

1 Answers1

5

As you've found, the instanceType attribute is marked "system-only", since you could potentially mess with the replication state of the directory replica in which you modify this attribute.

You probably shouldn't be doing this!

To circumvent this protection, add the following registry value on a Domain Controller:

Key:   HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
Name:  "Allow System Only Change"
Type:  DWORD
Value: 0x1

You could use PowerShell for this:

Set-ItemProperty HKLM:\System\CurrentControlSet\Services\NTDS\Parameters -Name "Allow System Only Change" -Value 1

Now you can modify the value of instanceType attributes on that DC. Either connect to that specific DC with LDP.exe/dsa.msc, or use the -Server parameter with the Active Directory module cmdlets.

Remember to remove the registry key after making your changes.

Mathias R. Jessen
  • 25,161
  • 4
  • 63
  • 95
  • This is a request that I am supposed to do but thanks to you i can give a pertinent answer now why I cannot make this changes. Thank you. – Cranta Ionut Jan 11 '16 at 14:29
  • Please dont forget to mark this as an answer. – Daniel Jan 11 '16 at 16:07
  • 1
    I believe that even if you change the protection there is no guarantee that the attribute won't be changed by the system right after. – Jim B Jan 19 '16 at 04:09