Skip to Content
avatar image
Former Member

Delete Subtree in AD

Hello Experts

We are facing a complex situation when trying to do a deletion of an AD user.

In our client's directory, we have some users with a delegate object, as the following screenshot shows:

These user cannot be deleted by the standard ToLDAP operation "delete".

So for these, we have tried doing a "deletesubtree" operation:

Unfortunately, using this operation does not solve the issue, we are getting the same error message as with a standard deletion:

We have confirmed with the AD administrator that the technical AD user does have the "Delete subtree" access for this OU.

In addition, the administrator advised us to use the "LDAP_SERVER_TREE_DELETE_OID" control to do the operation.

We supposed this was what the changetype deletesubtree was doing, but it seems this is not enough.

So, does any of you experts have any idea on what we are doing wrong with this changetype? Or any other idea on how we can delete these users?

The sub-objects are not known in IDM and will be added directly from AD, so we cannot delete them directly as a first step.


Julien Garagnon

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • May 04, 2016 at 06:27 PM

    Hi Julien,

    Can you explain how these containers were set up?

    My guess is that the account specified in Directory Login Name does not have sufficient privileges to do the required actions. They will need these privileges to do the deletion.


    Add comment
    10|10000 characters needed characters exceeded

    • I use powershell to delete the ExchangeActiveSyncDevices and a ToLDAP pass to delete the OU afterwards (including skipping on the entry if no mobiles are active).

      This is the ps1 file I write to the IdM server and then call it using a dispatcher which is executed by the exchange/domain admin

      $session = New-PSSession -Configurationname Microsoft.Exchange -ConnectionUri http://<ExchangeServer>/powershell -Authentication Kerberos

      Invoke-Command -Session $session -ScriptBlock {Set-AdServerSettings -ViewEntireForest $true; Remove-ActiveSyncDevice -Confirm:$false -Identity "<DN>" -DomainController "<DC>"} 2> <PathToLogFile>

      Remove-PSSession $session

      Recursive deleting, have to remember that one. 😊 Maybe in a future version I'll add this.