Skip to Content

Unable to delete accounts in Active Directory from SAP IdM 8.0

While deleting the user from Active Directory using SAP IDM 8.0, we are getting below error -

ToDSADirect.deleteEntry(CN=Last\, First,OU=XX,DC=XX,DC=com) java.lang.Throwable: [LDAP: error code 66 - 00002015: UpdErr: DSID-031A12A5, problem 6003 (CANT_ON_NON_LEAF), data 0]

On checking in LDAP, we found these accounts have sub-tree items.

As a solution, we tried updating the changeType in DeleteADSUser pass to "deletesubtree" but still issue persists.

Can anyone help us on this with a solution or maybe guide us to a KBA/note/SCN link which might be useful

delete-pass.jpg (111.5 kB)
Add a comment
10|10000 characters needed characters exceeded

  • Hi Nawanshu,

    Thank you for visiting SAP Community to get answers to your questions. I am here to help you to get the most out of it.

    First of all, I recommend that you familiarize yourself with https://community.sap.com/resources/questions-and-answers (if you haven't done so already), as it provides tips for preparing questions that draw responses from our members.
    Please also make sure you're using all appropriate tags, so the right experts can find your question. Overall, the more details you provide, the more likely it is that members will be able to assist you. Should you wish, you can revise your question by selecting Actions, then Edit (although once someone answers your question, you'll lose the ability to edit the question - but if that happens, you can leave more details in a comment).

    Finally, if you're hoping to connect with readers, please consider adding a picture to your profile. Here's how you do it: https://www.youtube.com/watch?v=F5JdUbyjfMA&list=PLpQebylHrdh5s3gwy-h6RtymfDpoz3vDS. By personalizing your profile with a photo of you, you encourage readers to respond.

    Best,

    Lena (SAP Community Moderator)

Assigned Tags

Related questions

1 Answer

  • Posted on Aug 05, 2020 at 03:45 PM

    Hello Nawanshu,

    the reason behind are the assigned mobiles you can see below the user object in AD.

    I have a nightly job running that reads all users and their mobiles, counter-checks the deactivation states and then removes the mobiles and the container they are in. After that the normal deletion job, which follows three months later, can successfully run.

    I recommend doing it in a job as one user can have more than one mobile assigned. So it's easier to do the Source tab query of a batch job, then running a task in a loop until all mobiles and the container are removed.

    Kind regards

    Dominik

    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.