I had an interesting customer request recently that I thought I would share with you. Prior to an upgrade to 2003 they had an account which was used for Remote Desktop Users. On upgrading to 2003 this account became replaced by a System Owned Object with exactly the same name. So their question to me was how do we rename a System Owned account without getting the following error.
"The attribute cannot be modified because it is owned by the system"
Carry out the following steps.
Warning: Make sure you fully test these in a pre-production environment before applying them to your live environment.
1 Launch LDP.exe and bind to the DS server you want to modify. Make sure you are schema admin, and admin over the partition you are modifying 2. After connecting and binding navigate to the browse menu and select the "Modify" option. 3. Leave the DN blank, type 'schemaUpgradeInProgress' into the Attribute field and in the values field type 1. 4. Click the Add operation and then click the enter button. This will add this command to the entry list. 5. Click the Run button. If you are successful you should see a successful modify message. 6. Go to View -> Tree. Connect to the appropriate base DN. NOTE: If your goal is to delete an object in AD that has child objects, then you will need to remove the child objects first. 7. Find the object, right click and select modify 8. In the attribute field, type "systemflags"; in the Values field, leave it blank; in the operation radio options, select delete 9. Then click Enter, then click Run to remove the system flags values 10. Perform the modification or deletion of the object 11. Set the systemflags value back to the original value, to make it owned by the system again 11. Once finished, run LDP again with the above steps, changing the schemaUpgradeInProgress value to 0 (to prevent unwanted schema/system changes)