-
Title
Unable to delete computer objects with BitLocker subtree/leaf object. -
Description
Unable to delete computer objects with BitLocker subtree/leaf object. -
Cause
In the context of a Change Workflow, since the BitLocker leaf object has its own object class and separate permissions, a delegated admin may not have the necessary access to perform a Delete operation on the leaf object.
In the context of a Change Workflow, Active Roles will only perform one "Delete" operation per Delete activity, by design.
-
Resolution
When working with a Change Workflow
Creating a template with the following permissions for a Global Security Group was found to allow users in that group the ability to delete a computer object with a BitLocker subtree/leaf object.
- Delete tree – All classes -> this checked Delete subtree and others for This object and all descendant objects under Security/Advanced/Special
- Delete All Child Objects – All classes -> this checked Delete msFVE-RecoveryInformation objects, Delete all child objects and others for This object and all descendant objects under Security/Advanced/Special
When working with an Automation WorkflowA Search Activity is needed to return the desired Computer objects. Before a delete is performed, a search