3.1.1.5.3.5 ObjectClass Updates
If the DC functional level is DS_BEHAVIOR_WIN2003 or greater, then originating updates of the objectClass attribute are permitted, subject to the following additional constraints:
If the forest functional level is less than DS_BEHAVIOR_WIN2003, objectClass updates can be performed only on objects in application NCs; otherwise unwillingToPerform / ERROR_DS_NOT_SUPPORTED is returned.
The specified objectClass value(s) contains a single most specific structural object class; otherwise objectClassViolation / ERROR_DS_OBJ_CLASS_NOT_SUBCLASS is returned. If the set of object classes specified by an update contains "holes" (that is, classes are missing on the inheritance chain from the most specific structural object class to the distinguished class top), the server fills the "holes" during the update.
The structural object class is not modified, with two exceptions:
It is permitted to convert a user object to an inetOrgPerson by the addition of inetOrgPerson to the objectClass attribute.
It is permitted to convert an inetOrgPerson object to a user by the removal of inetOrgPerson from the objectClass attribute.
Otherwise, the error returned depends on the DC functional level. If the DC functional level is DS_BEHAVIOR_WIN2000, constraintViolation / ERROR_DS_CONSTRAINT_VIOLATION is returned. If the DC functional level is DS_BEHAVIOR_WIN2003, unwillingToPerform / ERROR_DS_ILLEGAL_MOD_OPERATION is returned. If the DC functional level is DS_BEHAVIOR_WIN2008 or greater, objectClassViolation / ERROR_DS_ILLEGAL_MOD_OPERATION is returned.
Processing specifics:
The set of values is updated to include the full inheritance chains of the structural object class as well as all auxiliary classes present in the value.
The set of values is sorted according to the objectClass requirements (see section 3.1.1.2.4.3 for more information).
A new value of nTSecurityDescriptor is computed and written based on the new objectClass values, according to the security descriptor requirements (see section 6.1.3).