How to modify a system owned object


I had an interesting customer request recently that I thought I would share with you. Prior to an upgrade to 2003 they had an account which was used for Remote Desktop Users. On upgrading to 2003 this account became replaced by a System Owned Object with exactly the same name. So their question to me was how do we rename a System Owned account without getting the following error.

"The attribute cannot be modified because it is owned by the system"

Carry out the following steps.

Warning: Make sure you fully test these in a pre-production environment before applying them to your live environment.

1 Launch LDP.exe and bind to the DS server you want to modify. Make sure you are
schema admin, and admin over the partition you are modifying
2. After connecting and binding navigate to the browse menu and select the
"Modify" option.
3. Leave the DN blank, type 'schemaUpgradeInProgress' into the Attribute field and
in the values field type 1.
4. Click the Add operation and then click the enter button. This will add this
command to the entry list.
5. Click the Run button. If you are successful you should see a successful modify
6. Go to View -> Tree. Connect to the appropriate base DN.
NOTE: If your goal is to delete an object in AD that has child objects, then you
will need to remove the child objects first.
7. Find the object, right click and select modify
8. In the attribute field, type "systemflags"; in the Values field, leave it
blank; in the operation radio options, select delete
9. Then click Enter, then click Run to remove the system flags values
10. Perform the modification or deletion of the object
11. Set the systemflags value back to the original value, to make it owned by the
system again
11. Once finished, run LDP again with the above steps, changing the
schemaUpgradeInProgress value to 0 (to prevent unwanted schema/system changes)