When attempting to delete an object (example: User) who has a leaf object associated to it, an error will appear in the ARS logs:
ADSI error: 00002015: UpdErr: DSID-031A11DF, problem 6003 (CANT_ON_NON_LEAF), data 0
TMcException: The directory service can perform the requested operation only on a leaf object.
TException: Administration Service encountered an error when deleting the object 'CN=USER1,DC=OU1,DC=DOMAIN,DC=NAME'., file = d:\activeroles\ars-6.5.0\sources\ars\6.5.0\core\units\ads\source\Operations.cpp line = 889
[2011-06-15T08:56:27.702] [0xF60]: RequestExecutionSequence.ProcessRequest: Administration Service encountered an error when deleting the object 'CN=USER1,DC=OU1,DC=DOMAIN,DC=NAME'.
The directory service can perform the requested operation only on a leaf object. (Exception from HRESULT: 0x80072015)
Usually this is caused by insufficient permissions on the leaf object. Some third party applications create leaf objects to store secure data such as hash keys, encryption information, or ActiveSync device objects. By design these leaf objects might not have any permission inheritance on the leaf level. This prevents Active Roles from being able to access this object as expected, especially during deletion. This issue can affect initiator accounts who would otherwise have Full Control.
Create a new Access Template or modify an existing access template with the following permission:
Allow | Delete All Child Objects | All Classes
Inside a new or existing access template:
NOTE: The creation of a more restrictive Access Template is possible by limiting to only the desired class. Examine the class of the parent of the leaf object and create the Access Template accordingly.