QMM LDAP error 0x35. Unwilling To Perform user migration

There is normally a little more info. I.E. The attribute LDAP was unwilling to write. can you supply that? 

this is the only error we see

hi I don't see any error dsa.log.

So you don't see any errors? Not even "LDAP error 0x35. Unwilling To Perform"? Because it was logged in the DSA.log before it was presented to you in the session log. That tells me you are looking at the wrong log or wrong time range. 

What you want to see if what was going on before the LDAP error 0x35. Unwilling To Perform error is written. You might need to increase the log level to get more details. 

You might want to open a support case. 

here  the error:-

   Common AcAdTaskHandler         Object search scope: Subtree

     Common AcAdTaskHandler         Setting path for modifyTimeStamp control: subschemaSubentry = CN=Aggregate,CN=Schema,CN=Configuration,DC=ds,DC=xyz,DC=com

     Common AcAdTaskHandler         Search engine was directed to domain partition

     Common AcAdTaskHandler         Checking schema for modifications

     Common AcAdTaskHandler         No schema changes detected

     Common AcAdTaskHandler     Starting LDAP asynchronous page search: DN = CN=Schema,CN=Configuration,DC=ds,DC=xyz,DC=com

     Common AcAdTaskHandler         Search filter: (&(lDAPDisplayName=msExchBaseClass)(objectClass=classSchema))

     Common AcAdTaskHandler         Attributes to be requested: lDAPDisplayName  

     Common AcAdTaskHandler         Page size: 1

     Common AcAdTaskHandler         Object search scope: One level

 Activation AcAdSwitches     Account Switch, enabling target object DEA7A0CBEAF1F2409F7F85771B308402

     Common AcAdSwitches LDAP error 0x35. Unwilling To Perform (0000052D: SvcErr: DSID-031A12D2, problem 5003 (WILL_NOT_PERFORM), data 0

).

 Activation AcAdTaskHandler         ended dispatching objects

 Activation AcService Objects have been dispatched, task ID: 002DBB6AA9955E418238DD12C2EB0FD1, objects count: 1

 Activation AcService Queue has been processed

 Activation AcService Waiting for events

Common JobID:0 -> Activation Message Queue is empty.

Source JobID:0 ->         Recovering messages from dead-letter queue.

Target JobID:0 ->     Handler ActivationHandler finished with 1 objects. Time = 2.033742 sec.

Target JobID:0 ->     Handler PartialSync started with 1 objects

Target JobID:0 -> Starting Partial Sync handler

Target JobID:0 ->     Object = LDAP://xyz.com/.local/CN=xyz\, abc,OU=SHA,OU=Users,OU=xyz,DC=com

Target JobID:0 -> Finishing Partial Sync handler

enabling target object

So AD is unwilling to enable the object, so figure out why?  I will be you can’t manually enable the object in question either. 

I have tried manually enabling it; but AD disables it again

So that is telling you is it not the migration tool. So figure out why and that will solve the tools issue too.  

Have you tried manually applying a complex password to the user to see if it will stay enabled?

So here are some more details..

I already have user  created with same samaccount name in target and we are trying to do a merge. Instead of doing a merge with skip password selected, for some users it fails and creates a new user as disabled.

The failed new users cannot be enabled unless I reset the password. The issue is it should not create new user, instead merge and fail.

OK so what matching rules do you have enabled in the domain pair? - if you only want to match on samaccountname, then make sure that just Account Name is enabled.

Also, since you seem to be doing some attribute skipping, make sure you are not skipping samaccountname.

Under matching objects > account name is selected. and we are not skipping any attributes.

In first session, it creates a new user with different samname and in second retry, it shows conflict error. 

Under matching objects > account name is selected. and we are not skipping any attributes.

In first session, it creates a new user with different samname and in second retry, it shows conflict error.