Fix ERROR_DS_IS_LEAF 0x00002033 in Active Directory

When you'll see this error

You're working in Active Directory Users and Computers or ADSI Edit. You right-click an object, pick "New" → "User" (or "Organizational Unit" or "Group"), and boom — a dialog says "The object is a leaf object." Error code 0x00002033. Maybe you're trying to provision a new employee and accidentally clicked on a user object instead of an OU. Or you're scripting a bulk import and the script is targeting the wrong DN path.

What's actually happening here

Every object in Active Directory has a possibleInferiors or systemPossSuperiors attribute that defines what child object classes it can contain. Some objects are "containers" — like Organizational Units, built-in containers (CN=Users, CN=Computers), and domain objects. They can hold child objects. Other objects are "leaf" objects — like user accounts, groups, computer objects, and contacts. They're the end of the line. You can't nest a user inside a user. The schema says no.

The error ERROR_DS_IS_LEAF (0x00002033) is Active Directory's way of saying: "What you're trying to put a child into doesn't allow children." It's a schema constraint, not a permissions problem or a replication issue. That matters, because people often start chasing ACLs or network connectivity when the fix is simpler — pick a different parent.

The fix: move to a real container

Identify the current target object. What did you right-click? If it's a user like CN=jsmith,CN=Users,DC=contoso,DC=com, that's a leaf — stop right there.
Find a proper container. In the same domain, pick an Organizational Unit (OU) or a built-in container like CN=Users (which is actually a container class, not a leaf) or CN=Computers. If you don't have an OU for new users, create one: right-click the domain, New → Organizational Unit.
Create the object under the container. Right-click the OU (e.g., OU=Employees,DC=contoso,DC=com), then New → User. Should work now.
If you need to script it, fix the distinguishedName. In PowerShell, you'll get this error when using New-ADUser with a -Path pointing to a leaf. Change -Path "CN=jsmith,CN=Users,DC=contoso,DC=com" to -Path "OU=Employees,DC=contoso,DC=com". Or better, use the default path by omitting -Path.

PowerShell example — wrong vs right

# This FAILS with 0x00002033 — CN=jsmith is a leaf
New-ADUser -Name "Jane Doe" -GivenName Jane -Surname Doe -SamAccountName jdoe -Path "CN=jsmith,CN=Users,DC=contoso,DC=com"

# This WORKS — OU=Employees is a container
New-ADUser -Name "Jane Doe" -GivenName Jane -Surname Doe -SamAccountName jdoe -Path "OU=Employees,DC=contoso,DC=com"

What to check if it still fails

Are you sure the target is a container? In Active Directory Users and Computers, turn on "Advanced Features" from the View menu. Open the object's properties, go to the Attribute Editor tab, find objectClass. If it's user, group, computer, contact, or msExchDynamicDistributionList, it's a leaf. If it's organizationalUnit, container, or domainDNS, you're good.
Are you hitting a schema extension issue? Rare, but if someone modified the schema to make a normally-leaf class able to contain children (bad idea), you might still get this error if the auxiliary class isn't attached correctly. Use ADSI Edit to check the possibleInferiors attribute on the object.
Permissions? Even if the parent is a container, you still need Create Child permission for that object class. Error 0x00002033 is not an access denied — that's a different error (0x0000200A or 0x0000202B). But after fixing the container, you might hit a permissions wall next. Check the Security tab on the OU.
Are you in the right domain partition? If you're using ADSI Edit and connected to the Configuration or Schema partition, those have their own object hierarchy — none of those objects allow user/group creation. That's a common trap. Make sure you're targeting the Domain partition (DC=contoso,DC=com).

Bottom line: you can't push children into leaf nodes. Pick a container, and move on. This error is a schema guardrail, not a bug.