Home / server / Questions / 748217
In Process
Cranta Ionut
Asked: 2016-01-12 05:32:32 +0800 CST

instanceType attribute in Active Directory

  • 772

I need to change the instanceType attribute of a service account. If I try to change it from Active Directory Users and Computers console it's greyed out and if I try to change it via powershell with Set-Aduser i get "The attribute cannot be modified because it is owned by the system".

Anyone has any ideea on how can I change the instanceType attribute from 4 to 0 ?

active-directory

1 Answers

  1. As you've found, the instanceType attribute is marked "system-only", since you could potentially mess with the replication state of the directory replica in which you modify this attribute.

    You probably shouldn't be doing this!

    To circumvent this protection, add the following registry value on a Domain Controller:

    Key:   HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
Name:  "Allow System Only Change"
Type:  DWORD
Value: 0x1

    You could use PowerShell for this:

    Set-ItemProperty HKLM:\System\CurrentControlSet\Services\NTDS\Parameters -Name "Allow System Only Change" -Value 1

    Now you can modify the value of instanceType attributes on that DC. Either connect to that specific DC with LDP.exe/dsa.msc, or use the -Server parameter with the Active Directory module cmdlets.

    Remember to remove the registry key after making your changes.

    • 5