Most accounts which are deprovisioned using a policy which deletes an account after X days of retention are deleted as expected. Some few are not.
Viewing the Effective Access on these accounts through native security shows that the Active Roles Service Account does not have the Delete or Delete Subtree permissions necessary to remove the account.
If an account is a member of a Windows Protected Group, its adminCount property will be updated to a value of 1 and the AdminSdHolder security template is automatically applied onto it every 60 minutes.
This security template will explicitly disable inheritance and revoke delete permissions, by default.
For more information on adminCount and the AdminSdHolder security template, please consult TechNet.
If it is desired to allow affected accounts to delete normally:
One Identity considers it a "Best Practice" to handle these operations manually, rather than programmatically, due to the potentially impact of deleting privileged accounts.
A triggered Workflow should be configured to interrupt and/or notify when a Deprovision operation is performed against an account which has an adminCount value of 1.
Note: In some instances inheritance may need to be re-enabled on the user object. The change may not reflect for the value in Active Roles, and it may be ignored by the Scheduled Tasks to run the Deletion of Deprovisioned Objects. Further details on the above details are explained here Microsoft Link.
© ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center