cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Delete Subtree in AD

Former Member

on ‎05-04-2016 5:12 PM

0 Kudos

Hello Experts

We are facing a complex situation when trying to do a deletion of an AD user.

In our client's directory, we have some users with a delegate object, as the following screenshot shows:

These user cannot be deleted by the standard ToLDAP operation "delete".

So for these, we have tried doing a "deletesubtree" operation:

Unfortunately, using this operation does not solve the issue, we are getting the same error message as with a standard deletion:

We have confirmed with the AD administrator that the technical AD user does have the "Delete subtree" access for this OU.

In addition, the administrator advised us to use the "LDAP_SERVER_TREE_DELETE_OID" control to do the operation.

We supposed this was what the changetype deletesubtree was doing, but it seems this is not enough.

So, does any of you experts have any idea on what we are doing wrong with this changetype? Or any other idea on how we can delete these users?

The sub-objects are not known in IDM and will be added directly from AD, so we cannot delete them directly as a first step.

Regards,

Julien Garagnon

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

former_member2987
Active Contributor
‎05-04-2016 7:27 PM
0 Kudos

Hi Julien,

Can you explain how these containers were set up?

My guess is that the account specified in Directory Login Name does not have sufficient privileges to do the required actions. They will need these privileges to do the deletion.

Matt

Show replies
Show replies
Former Member
‎05-09-2016 9:38 AM
0 Kudos

Hello Matt,

These containers were setup by a system call SpecOps.

When a user enroll in this system, a child object is created under the user.

I do not know any more about this system.

The client aims to have all AD users in the system ASAP.

Concerning the rights to remove subtree, we have confirmed with the AD administrator that the service account do have this permission on the user in question.

Regards,

Julien Garagnon

peterwass
Explorer
‎05-09-2016 10:25 PM
0 Kudos

I assume you can delete them manually as that account (thus confirming rights).  If so, you can do it a few ways.

Powershell would do it - write a script like the below and trigger it to delete the object rather than use LDAP.

You can also do it via a job where you import the leaf objects below the user, delete them individually, and then delete the primary object.  I'm not sure how you're triggering this delete (task I assume).  Perhaps get the task to flag the objects to be deleted and then have the job pick them up.  Alternatively you could have the job triggered from the workflow to do the work.

Peter

$LeafObj = Get-ADObject -Filter *  -SearchScope oneLevel -SearchRoot <ADUser.DistinguishedName passed as parameter>

if($LeafObj)

{

     $LeafObj | Remove-ADObject -Recursive

}

You can either delete the object here or pass it back to the workflow to complete...

former_member201064
Active Participant
‎05-10-2016 3:18 PM
0 Kudos

I use powershell to delete the ExchangeActiveSyncDevices and a ToLDAP pass to delete the OU afterwards (including skipping on the entry if no mobiles are active).

This is the ps1 file I write to the IdM server and then call it using a dispatcher which is executed by the exchange/domain admin



$session = New-PSSession -Configurationname Microsoft.Exchange -ConnectionUri http://<ExchangeServer>/powershell -Authentication Kerberos


Invoke-Command -Session $session -ScriptBlock {Set-AdServerSettings -ViewEntireForest $true; Remove-ActiveSyncDevice -Confirm:$false -Identity "<DN>" -DomainController "<DC>"} 2> <PathToLogFile>


Remove-PSSession $session

Recursive deleting, have to remember that one. Maybe in a future version I'll add this.

Ask a Question