Fix ERROR_DS_SINGLE_VALUE_CONSTRAINT (0x00002081) in AD
This error hits when you try to add multiple values to an attribute that only allows one. Happens during AD bulk imports or PowerShell scripts.
What actually triggers this error
You'll see 0x00002081 when running a bulk import with LDIFDE, PowerShell, or ADSI — usually against a custom attribute or something like mail, telephoneNumber, or manager. The script or file has two values for a field that only accepts one. For example, you try to set mail to both user@domain.com and user2@domain.com in the same operation.
Another common trigger: you're modifying an attribute that was single-valued at schema creation but later someone extended the schema — doesn't matter, the constraint is baked in. This error also pops up when you use ADUC to edit an attribute that has a read-only multi-value display (like otherTelephone) but the underlying attribute is single-valued.
Root cause in plain English
Every attribute in Active Directory has a flag in the schema that says “this attribute can only hold one value.” It's called attributeIsSingleValued. When your code or script tries to write an array or multiple strings to that attribute, AD slaps you with 0x00002081. The error isn't lying — you literally violated a schema constraint.
This happens because:
- Your import file (CSV, LDIF) has duplicate entries for the same attribute.
- Your PowerShell script pipes multiple values to a single-valued attribute.
- Someone modified the schema incorrectly (rare, but I've seen it).
How to fix it — step by step
Step 1: Find the offending attribute
Check your import file or script output. Look for any attribute that appears twice for the same object. In an LDIF file, you'll see something like:
dn: CN=JohnDoe,OU=Users,DC=contoso,DC=com
changetype: modify
add: mail
mail: john@contoso.com
mail: john.doe@contoso.com
-That second mail: line is the problem. Remove it.
In PowerShell, you might have:
Set-ADUser JohnDoe -EmailAddress @("john@contoso.com","john.doe@contoso.com")That's a no-go. Use only one string.
Step 2: Check if the attribute is really single-valued
Use ADSI Edit to confirm. Connect to the Schema partition (CN=Schema,CN=Configuration,DC=contoso,DC=com). Find the attribute (e.g., CN=mAil-Local or whatever your attribute's common name is). Right-click → Properties. Look at attributeIsSingleValued. If it's TRUE, it's single-valued. Period.
You can also run this in PowerShell:
Get-ADObject -SearchBase (Get-ADRootDSE).SchemaNamingContext -Filter {name -eq "mail"} -Properties attributeIsSingleValued | fl *Step 3: Fix the import data
Deduplicate values for single-valued attributes. If you need multiple values, pick a different multi-valued attribute like otherMailbox or proxyAddresses. For mail, you can only have one primary SMTP address. Use proxyAddresses for aliases.
Step 4: If the attribute should be multi-valued
This is an advanced move — only do this if you know what you're doing. Modify the schema attribute:
- Open ADSI Edit on a DC.
- Connect to the Schema container (not the domain partition).
- Find the attribute object.
- Set
attributeIsSingleValuedtoFALSE. - Wait for replication (or force it).
Warning: Changing schema is permanent. Backup the schema first. And don't touch built-in attributes like mail — you'll break Exchange.
What to check if it still fails
- Replication latency: If you just changed the schema, wait for all DCs to sync. Force with
repadmin /syncall. - Cached credentials: The script might be using an old LDAP connection. Restart the PowerShell session or re-run the import tool.
- ADSI provider version: Older Windows 7 or Server 2008 R2 machines have a buggy ADSI provider. Update to KB article 2601675 or use a newer machine.
- Third-party tools: Some tools like Softerra AD Administrator or ManageEngine ADManager sometimes pass multiple values even if you only see one. Check the tool's logs.
- Edge case — virtual attribute: If you're hitting this on
mS-DS-ConsistencyGuidormsDS-ExternalDirectoryObjectId, it's by design. Those are single-valued. Don't try to force them.
Bottom line: 90% of the time, you just have a duplicate entry in your input file. Strip duplicates, re-run, and it'll work. The other 10% is schema changes you probably shouldn't be making anyway.
Was this solution helpful?