Problem : Cannot create user in domain – The requested object has a non-unique identifier and cannot be retrieved

Problem : Cannot create user in domain – The requested object has a non-unique identifier and cannot be retrieved

We recently tried to decommission an SBS 2003 to split the Exchange and Win 2003 into 2 separate machines.  We thought everything went smoothly until we tried to create a new user, an error comes up:

” Windows cannot set the password for (account name) because:
The requested object has a non-unique identifier and cannot be retrieved. ”

…after I press OK, another box pops up complaining:

” Windows cannot remove the newly created object automatically.  Remove it manually or contact your system administrator. ”

In Event Viewer under SYSTEM, I see 2x “Source: SAM, Event ID: 12293″ with the same time stamp:
#1:
”  There are two or more objects that have the same SID attribute in the SAM database. The Distinguished Name of the account is CN=Team Foundation Server Setup,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=domain,DC=com. All duplicate  accounts have been deleted. Check the event log for additional duplicates.  ”

#2:
” There are two or more objects that have the same SID attribute in the SAM database. The Distinguished Name of the account is CN=Tester Account,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=domain,DC=com. All duplicate  accounts have been deleted. Check the event log for additional duplicates. ”

I ran NTDSUTIL’s SID cleanup and the log has 0 entries meaning nothing to delete?


Solution: Cannot create user in domain – The requested object has a non-unique identifier and cannot be retrieved

You may need to go in and find and delete the objects yourself.  To do this, install the Windows Support Tools (in the SupportTools folder on the installation CD).  Then, open a Management Console (Start | Run | Type “mmc” and hit Enter) and then add the snap-in (press Control+M and then click on “Add”) for ADSI Edit (which should be on the list).

Once you’re in ADSI Edit, you’ll need to connect to the domain controller (right-click on “ADSI Edit” and select “Connect to…”) and set the Connection Point to Domain (should be the default).  Then, browse through the domain objects until you find the objects listed above.  You can then delete them manually.

The key to finding those objects is to read them right-to-left.  So, for the following path:
CN=Tester Account,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=domain,DC=com
Browse through ADSI as follows:
DC=domain,DC=com
|_OU=MyBusiness
|_OU=Users
|_OU=SBSUsers
In the SBSUsers OU, you should find the user.