Users cannot be copied because an "unknown error" (from bug 4815)
The problem is that without proper ntSecurityDescriptor support, the MMC client bails. (I think it is trying to construct a new, corrected security descriptor for the copied user).
-r 24263 seems to fix this. We still need to honour the ntSecurityDescriptor, but at least now we set a value for MMC to read.