-
Title
Unable to delete user account with leaf object -
Description
When trying to delete a user account Active Roles throws an error "The directory service can perform the requested operation only on a leaf object. (Exception from HRESULT: 0x80072015)" -
Cause
Third-party software created a leaf object on the User object in Active Directory, disregarding inheritance permissions. -
Resolution
This workaround will help to find and edit permissions of a single User Leaf Object using ADSI editor natively.
1- On a Domain Controller open ADSI editor
2- Navigate to the specific User object Container to check for any Leaf Object
3- Review Permissions under Security Tab
To Modify or Add Active Roles service account Permissions over Leaf Object:
1- On Leaf Object container go to Advanced tab
2- Modify Active Roles service account with appropriate Permissions by checking Delete
3- Click Apply
Retry deleting User Object in Active Roles and this should resolve.
For full solution on how to implement a special parameter called Active Roles Controls that enables delete tree objects go to:
Unable to delete user accounts with child object in Active Roles (337566)