-
Title
Unable to delete Active Directory objects with leaf objects -
Description
When attempting to delete an object (example: User) who has a leaf object associated to it, and the following error will appear in the Active Roles Admin Service log in the Windows Event Viewer:
ADSI error: 00002015: UpdErr: DSID-031A11DF, problem 6003 (CANT_ON_NON_LEAF), data 0
TMcException: The directory service can perform the requested operation only on a leaf object.
TException: Administration Service encountered an error when deleting the object 'CN=USER1,DC=OU1,DC=DOMAIN,DC=NAME'
The directory service can perform the requested operation only on a leaf object. (Exception from HRESULT: 0x80072015)
-
Cause
Usually this is caused by insufficient permissions on the leaf object. Some third party applications create leaf objects to store secure data such as hash keys, encryption information, or ActiveSync device objects. By design these leaf objects might not have any permission inheritance on the leaf level. This prevents Active Roles from being able to access this object as expected, especially during deletion. This issue can affect initiator accounts who would otherwise have Full Control.
-
Resolution
WORKAROUND
Create a new Access Template or modify an existing access template with the following permissions:
Allow | All Classes | Delete All Child Objects
Allow | Computer | List Contents
Allow | Computer | Delete Tree
Allow | All Classes | List*
Inside a new or existing access template:
- Select the Permissions tab and click Add
- Select All object classes | Next
- Select Creation/Deletion of child objects and check Delete child objects then click Next
- Select Child objects of any class | Finish
- Repeat for the other permissions listed above
- Link this Access Template to the desired trustees and the required location in Active Directory.
Also ensure that under the View menu within the Active Roles Console the following are selected to see Leaf Objects:
- Users and Contacts as Containers
- Computers and containers
*Note: The creation of a more restrictive Access Template is possible by limiting to only the desired class. Examine the class of the parent of the leaf object and create the Access Template accordingly. In some cases inheritance may not propagate to child objects where the permissions are applied.