-
Title
Unable to delete Active Directory objects with leaf objects -
Description
When attempting to delete an object (example: User) who has a leaf object associated to it, and the following error will appear in the Active Roles Admin Service log in the Windows Event Viewer:
ADSI error: 00002015: UpdErr: DSID-031A11DF, problem 6003 (CANT_ON_NON_LEAF), data 0
TMcException: The directory service can perform the requested operation only on a leaf object.
TException: Administration Service encountered an error when deleting the object 'CN=USER1,DC=OU1,DC=DOMAIN,DC=NAME'
The directory service can perform the requested operation only on a leaf object. (Exception from HRESULT: 0x80072015)
-
Cause
Usually this is caused by insufficient permissions on the leaf object. Some third party applications create leaf objects to store secure data such as hash keys, encryption information, or ActiveSync device objects. By design these leaf objects might not have any permission inheritance on the leaf level. This prevents Active Roles from being able to access this object as expected, especially during deletion. This issue can affect initiator accounts who would otherwise have Full Control.
-
Resolution
WORKAROUND
Create a new Access Template or modify an existing access template with the following permission:
Allow | Delete All Child Objects | All Classes
Inside a new or existing access template:
- Select the Permissions tab and click Add
- Select All object classes | Next
- Select Creation/Deletion of child objects and check Delete child objects then click Next
- Select Child objects of any class | Finish
- Link this Access Template to the desired trustees and the required location in Active Directory.
Also ensure that under the View menu within the Active Roles Console the following are selected to see Leaf Objects:
- Users and Contacts as Containers
- Computers and containers
Note: The creation of a more restrictive Access Template is possible by limiting to only the desired class. Examine the class of the parent of the leaf object and create the Access Template accordingly. In some cases inheritance may not propagate to child objects where the permissions are applied.