<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
When using [Microsoft Active Directory] and LDAP [{$pagename}] [LDAP Result Codes] could maybe returned.
||LDAP Code||[hex]||SvcErr||Problem||Reference
|053|0x0000052D|DSID-031A0FC0|5003|[ERROR_PASSWORD_RESTRICTION]
|51C|1308|[INVALID_PRIMARY_GROUP]|This security ID may not be assigned as the primary groupof an object
|51D|1309|[NO_IMPERSONATION_TOKEN]|An attempt has been made to operate on an [impersonation] token by a thread that is not currently impersonating a client
|51E|1310|CANT_DISABLE_MANDATORY|The group may not be disabled
|51F|1311|NO_LOGON_SERVERS|There are currently no logon servers available to service the logon request
|520|1312|NO_SUCH_LOGON_SESSION|A|specifieD|logon session does not exist. It may already havE|been terminated
|521|1313|NO_SUCH_PRIVILEGE|A|specifieD|privilegE|does not exist
|522|1314|PRIVILEGE_NOT_HELD|A|requireD|privilegE|is not helD|by thE|client
|523|1315|INVALID_ACCOUNT_NAME|ThE|namE|provideD|is not A|properly formeD|account name
|524|1316|USER_EXISTS|The specified user already exists
|525|1317|NO_SUCH_USER|ThE|specifieD|user does not exist
|526|1318|GROUP_EXISTS|ThE|specifieD|group already exists
|527|1319|NO_SUCH_GROUP|ThE|specifieD|group does not exist
|528|1320|MEMBER_IN_GROUP|Either thE|specifieD|user account is already A|member oF|thE|specifieD|group, or thE|specifieD|group cannot bE|deleteD|becausE|it contains A|member
|529|1321|MEMBER_NOT_IN_GROUP|ThE|specifieD|user account is not A|member oF|thE|specifieD|group account
|52A|1322|LAST_ADMIN|ThE|last remaining administration account cannot bE|disableD|or deleted
|52B|1323|WRONG_PASSWORD|UnablE|to updatE|thE|password. ThE|valuE|provideD|as thE|current passworD|is incorrect
|52C|1324|ILL_FORMED_PASSWORD|UnablE|to updatE|thE|password. ThE|valuE|provideD|for thE|new passworD|contains values that arE|not alloweD|in passwords
|52D|1325|PASSWORD_RESTRICTION|UnablE|to updatE|thE|password. ThE|valuE|provideD|for thE|new passworD|does not meet thE|length, complexity, or history requirement oF|thE|domain
|52E|1326|LOGON_FAILURE|Logon failure|unknown user namE|or baD|password
|52F|1327|ACCOUNT_RESTRICTION|Logon failure|user account restriction.  PossiblE|reasons arE|blank passwords not allowed, logon hour restrictions, or A|policy restriction has been enforced
|530|1328|INVALID_LOGON_HOURS|Logon failure|account logon timE|restriction violation
|531|1329|INVALID_WORKSTATION|Logon failure|user not alloweD|to log on to this computer
|532|1330|PASSWORD_EXPIRED|Logon failure|thE|specifieD|account passworD|has expired
|533|1331|ACCOUNT_DISABLED|Logon failure|account currently disabled
|534|1332|NONE_MAPPED|No mapping between account names anD|security IDs was done
|535|1333|TOO_MANY_LUIDS_REQUESTED|Too many local user identifiers (LUIDs) werE|requesteD|at onE|time
|536|1334|LUIDS_EXHAUSTED|No morE|local user identifiers (LUIDs) arE|available
|537|1335|INVALID_SUB_AUTHORITY|ThE|subauthority part oF|A|security ID|is invaliD|for this particular use
|538|1336|INVALID_ACL|ThE|access control list (ACL) structurE|is invalid
|539|1337|INVALID_SID|ThE|security ID|structurE|is invalid
|53A|1338|INVALID_SECURITY_DESCR|ThE|security descriptor structurE|is invalid
 &quot;Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain.&quot; - this often happens when trying to enable a user who has an empty password|https://support.quest.com/SUPPORT/index?page=solution&amp;id=SOL30430

LDAP error 0x35. Unwilling To Perform (0000052D: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0).
0x0000052D ERROR_PASSWORD_RESTRICTION &quot;Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain.&quot; - this often happens when trying to enable a user who has an empty password
please see https://support.quest.com/SUPPORT/index?page=solution&amp;id=SOL30430

LDAP error 0x35. Unwilling To Perform (00002185: SvcErr: DSID-031B0E21, problem 5003 (WILL_NOT_PERFORM), data -1946157056)
0x00002183 ERROR_DS_MODIFYDN_DISALLOWED_BY_ INSTANCE_TYPE &quot;Rename or move operations on naming context heads or read-only objects are not allowed&quot;

LDAP error 0x35.Unwilling To Perform (00002145: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0).
0x00002145 ERROR_DS_GLOBAL_CANT_HAVE_UNIVERSAL_ MEMBER &quot;A global group cannot have a universal group as a member&quot; - could be caused by skipping grouptype attribute, this is not recommended, synchronized group scope should be same between source and target domains.

LDAP error 0x35. Unwilling To Perform (00002077: SvcErr: DSID-031903AF, problem 5003 (WILL_NOT_PERFORM), data 0).
0x00002077 ERROR_DS_ILLEGAL_MOD_OPERATION &quot;Illegal modify operation. Some aspect of the modification is not permitted.&quot; - most often caused by DSA trying to modify msDS-Cached-Membership-Time-Stamp, msDS-Cached-Membership and msDS-Site-Affinity attributes, you can safely skip those
please see https://support.quest.com/SUPPORT/index?page=solution&amp;id=SOL15649

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]

----
* [#1] - [http://blog.securism.com/2009/01/summarizing-pki-certificate-validation/|http://blog.securism.com/2009/01/summarizing-pki-certificate-validation/|target='_blank'] - based on 2013-04-10
</pre>