Users cannot be copied because an "unknown error" (from bug 4815)
(reproduced) The problem is that without proper ntSecurityDescriptor support, the MMC client bails. (I think it is trying to construct a new, corrected security descriptor for the copied user).
-r 24263 seems to fix this. We still need to honour the ntSecurityDescriptor, but at least now we set a value for MMC to read.