Restoring Deleted Active Directory User fails with Error 0x2077 Illegal Modify Operation

I was attempting to restore an Active Directory User that was accidentally deleted on a SBS 2011 server using the steps outlined in this Microsoft KB Article, however I kept coming up short with the following error message.

[note]”Error 0x2077 Illegal modify operation. Some aspect of the modification is not permitted.”[/note]

I was a bit stumped until I read a few of the comments on that article. If you are experiencing this error, check out these tips by Brandon in the comments. Worked perfectly after I followed these steps. Thank you, kind sir.

  • Insure that you are connecting to your DC by using LDAPS (SSL, port 636)
  • When performing the rename operation using LDP.exe, insure that you are changing the distinguishedName to an object that doesn’t exist. In my case, I received this error when I forgot to include the computer’s name in the DN (meaning, I only had OU=x,DC=y,DC=z instead of CN=Server,OU=x,DC=y,DC=z)
  • If using powershell and you receive this error: use LDP.exe and insure you are using LDAPS and a DN that doesnt exist

  1. heh thanks, i needed to use ssl, and forgot to put in the computer’s CN when i cut and pasted the last known parent

  2. Thanks, your 2nd bullet point is what tripped me up, too — I didn’t specify the CN of the restored object before the DN of the object I was restoring to.

