When attempting to delete an object (example: User) who has a leaf object associated to it, and the following error will appear in the Active Roles Admin Service log in the Windows Event Viewer:
ADSI error: 00002015: UpdErr: DSID-031A11DF, problem 6003 (CANT_ON_NON_LEAF), data 0
TMcException: The directory service can perform the requested operation only on a leaf object.
TException: Administration Service encountered an error when deleting the object 'CN=USER1,DC=OU1,DC=DOMAIN,DC=NAME'
The directory service can perform the requested operation only on a leaf object. (Exception from HRESULT: 0x80072015)
Usually this is caused by insufficient permissions on the leaf object. Some third party applications create leaf objects to store secure data such as hash keys, encryption information, or ActiveSync device objects. By design these leaf objects might not have any permission inheritance on the leaf level. This prevents Active Roles from being able to access this object as expected, especially during deletion. This issue can affect initiator accounts who would otherwise have Full Control.
Create a new Access Template or modify an existing access template with the following permissions:
Allow | All Classes | Delete All Child Objects
Allow | Computer | List Contents
Allow | Computer | Delete Tree
Allow | All Classes | List*
Inside a new or existing access template:
Also ensure that under the View menu within the Active Roles Console the following are selected to see Leaf Objects:
*Note: The creation of a more restrictive Access Template is possible by limiting to only the desired class. Examine the class of the parent of the leaf object and create the Access Template accordingly. In some cases inheritance may not propagate to child objects where the permissions are applied.