Some Deprovisioned objects may not be automatically deleted by the Active Roles Scheduled Task or Workflow, even if the objects should be deleted according to the Deprovisioning Policy settings.
This error may be seen in the Active Roles Event Log:
0x80070005 ( E_ACCESSDENIED ) Access Denied.
It may be possible to delete the object in Active Roles Console, but you may be prompted with Delete Object notifications for each of the child objects.
Other Active Roles clients such as the Active Roles Synchronization Service or Identity Manager will fail to delete an object with the error code:
0x8004106E
WORKAROUND
Using native tools such as ADUC (Active Directory Users and Computers) or ADSIEdit, grant the following permissions explicitly on the OU that contains the Deprovisioned objects to the Active Roles service account OR to the Override Account for the Managed Domain (if explicitly set):
Ensure the This object and all child objects option is selected when applying permissions.
IMPORTANT: Make sure the permission inheritance is not blocked on the Deprovisioned objects. To verify that, follow the steps below:
Please Note:
The Scheduled Task, Deletion of Deprovisioned Objects, has to delete both the Parent object and its Leaf nodes in a single call. Because of this, the Scheduled Task adds the control 'EDS_CONTROL_TREE_DELETE' to Delete Tree in a single request and is not an interactive function. This is why the explicit permissions are required for Delete Subtree and Delete All Child Objects, even if the Deprovisioned object does not contain leaf objects.
WORKAROUND
Using native tools such as ADUC (Active Directory Users and Computers) or ADSIEdit, grant the following permissions explicitly on the OU that contains the Deprovisioned objects to the Active Roles service account OR to the Override Account for the Managed Domain (if explicitly set):
Ensure the This object and all child objects option is selected when applying permissions.
IMPORTANT: Make sure the permission inheritance is not blocked on the Deprovisioned objects. To verify that, follow the steps below:
Please Note:
The Scheduled Task, Deletion of Deprovisioned Objects, has to delete both the Parent object and its Leaf nodes in a single call. Because of this, the Scheduled Task adds the control EDS_CONTROL_TREE_DELETE to Delete Tree in a single request and is not an interactive function. This is why the explicit permissions are required for Delete Subtree and Delete All Child Objects, even if the Deprovisioned object does not contain leaf objects.
© 2025 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center