This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(243.2, 39%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EIL%3C/text%3E%3C/svg%3E)
Dear community!
Software: Windows Server 2019 Essentials as domain controller. When I want to change any data of any user in a given OU, I get this error message:
"The specified directory service attribute or value already exists"
I also tried changing the user from PowerShell, the problem is the same. I am past the first 30 hits of our friend Google. I retrieved the data of each user with PowerShell, I checked if there was a unique conflict somewhere, there was none. What else can I do, how would you continue troubleshooting? I'd like to add another PC to "Log on to..." field. My PowerShell commands are:
$Workstations = (Get-ADUser my.user.name -Properties LogonWorkstations).LogonWorkstations
$Workstations += ",NEW-NAME"
Set-ADUser my.user.name -LogonWorkstations $Workstations
Additional info: there are 4 users in this OU. The names, for sample:
familyname.user1
familyname.user2
familyname.user3
different.name
The first 3, when "familyname" are identical, I cannot edit the user.
The fourth user with totally different name: I can edit this user.
The first 3 users have mailbox, the fourth not, if this matters.
Here is one of the problematic users (name info replaced with word "sample" and "name", domain with "sampledomain.tld"):
AccountExpirationDate :
accountExpires : 9223372036854775807
AccountLockoutTime :
AccountNotDelegated : False
AllowReversiblePasswordEncryption : False
AuthenticationPolicy : {}
AuthenticationPolicySilo : {}
BadLogonCount : 0
badPasswordTime : 133173208164148764
badPwdCount : 0
CannotChangePassword : True
CanonicalName : sampledomain.tld/JM-DEFAULT/Sample Name
Certificates : {}
City :
CN : Sample Name
codePage : 0
Company :
CompoundIdentitySupported : {}
Country :
countryCode : 0
Created : 2022. 05. 04. 8:23:22
createTimeStamp : 2022. 05. 04. 8:23:22
Deleted :
Department :
Description :
DisplayName : Sample Name
DistinguishedName : CN=Sample Name,OU=JM-DEFAULT,DC=samplemerleg,DC=tld
Division :
DoesNotRequirePreAuth : False
dSCorePropagationData : {2023. 01. 04. 16:01:11, 2023. 01. 04. 16:00:49, 2022. 05. 04. 8:59:49, 2022. 05. 04. 8:23:22...}
EmailAddress : ******@sampledomain.tld
EmployeeID :
EmployeeNumber :
Enabled : True
Fax :
fetchmailAccount : {Base64EncodedDataHere}
gidNumber : 2513
GivenName : Name
HomeDirectory :
HomedirRequired : False
HomeDrive :
HomePage :
HomePhone :
Initials :
instanceType : 4
isDeleted :
KerberosEncryptionType : {}
LastBadPasswordAttempt : 2023. 01. 04. 16:46:56
LastKnownParent :
lastLogoff : 0
lastLogon : 133173211534987858
LastLogonDate : 2022. 12. 27. 9:11:53
lastLogonTimestamp : 133166023134131210
LockedOut : False
logonCount : 89
LogonWorkstations : DESKTOP-TKAHDGT,JM-ASUS-FA65
mail : ******@sampledomain.tld
mailbox : sampledomain.tld/sample.name/
mailHomeDirectory : {/var/vmail/}
mailquota : 10240
Manager :
MemberOf : {CN=JM_USERS,CN=Users,DC=sampledomain,DC=tld}
MNSLogonAccount : False
MobilePhone :
Modified : 2023. 01. 04. 16:01:11
modifyTimeStamp : 2023. 01. 04. 16:01:11
msDS-User-Account-Control-Computed : 0
Name : Sample Name
nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory : CN=Person,CN=Schema,CN=Configuration,DC=sampledomain,DC=tld
ObjectClass : user
ObjectGUID : 0cd9a306-aad4-4634-a599-12d8e75ca271
objectSid : S-1-5-21-121529692-3925751680-3766135194-1116
Office :
OfficePhone :
Organization :
OtherName :
PasswordExpired : False
PasswordLastSet : 2022. 05. 04. 8:23:22
PasswordNeverExpires : True
PasswordNotRequired : False
POBox :
PostalCode :
PrimaryGroup : CN=Domain Users,CN=Users,DC=sampledomain,DC=tld
primaryGroupID : 513
PrincipalsAllowedToDelegateToAccount : {}
ProfilePath :
ProtectedFromAccidentalDeletion : False
pwdLastSet : 132961190024300816
quota : 10240
SamAccountName : sample.user
sAMAccountType : 805306368
ScriptPath :
sDRightsEffective : 15
ServicePrincipalNames : {}
SID : S-1-5-21-121529692-3925751680-3766135194-1116
SIDHistory : {}
SmartcardLogonRequired : False
sn : Sample
State :
StreetAddress :
Surname : Sample
Title :
TrustedForDelegation : False
TrustedToAuthForDelegation : False
uidNumber : 65542
UseDESKeyOnly : False
userAccountControl : 66048
userCertificate : {}
userMaildirSize : 0
UserPrincipalName : ******@sampledomain.tld
userWorkstations : DESKTOP-TKAHDGT,JM-ASUS-FA65
uSNChanged : 3178619
uSNCreated : 2509778
whenChanged : 2023. 01. 04. 16:01:11
whenCreated : 2022. 05. 04. 8:23:22
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 74%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERM%3C/text%3E%3C/svg%3E)
You said that the 1st three users have a mailbox? Where?
Windows Server 2019 Essentials limitations
Only works with Retail licenses of Office;
It is not possible to work remotely;
A max. of 25 users;
Cannot work with SQL Server, Exchange Server and Sharepoint Server.
EDIT: Never mind. the mail system is *nix:
mailbox : sampledomain.tld/sample.name/
mailHomeDirectory : {/var/vmail/}
Yes, the mail server is based on Zentyal (Samba LDAP authentication + Postfix + Dovecot).
The list of properties you provided for one of the problematic users includes userWorkstations : DESKTOP-TKAHDGT,JM-ASUS-FA65. So you were, at one point, able to modify that user. What has changed since then?
Can you modify any properties of that user? Can you do so with ADUC and PowerShell, or only with one and not the other?
The only thing that has changed is that e-mail accounts have been set up for the affected users. Since then, it is not possible to edit it either from Windows GUI or PowerShell. If I connect to the Zentyal domain controller with RSAT, I can save the changes and it replicates perfectly to Windows.
You realize that the Server 2019 Essentials can be the ONLY domain controller, don't you? It must run ALL FSMO roles.
I think this limitation exists only in Server 2012 Essentials. I think I can use multiple domain controllers with Essentials, as long Essentials is the root domain contorller, and Essentials holds the FSMO role. As an example, you can join a Standard Windows Server as an additional DC if necessary. And, of course, you can join a Linux Samba, too. But you never can use two Essentials as DCs, I know. But: modifying user accounts via LDAP is not a domain controller only task. Zentyal adds some attributes to the user, and one of teese attributes causes the bug. I think. Am I wrong?
Everything I see for 2019 isn't very clear about multiple DCs, but it all seems to agree that all the FSMO roles mut be held by the 2019 Essentials DC.
Does the Zentyal system extend the AD schema? Does the Zentyal system hold the Schema Master role? How was the mailHomeDirectory attribute added to your AD? Do you have a LDIF file that did the addition, or was Zental able to make the change? And, if so, did it do so correctly.
This seems more a problem with the Active Directory and a third-party software interacting than a PowerShell problem. I think that's supported by the fact that you cannot use the ADUC to modify those accounts.