-
제목
Unable to delete objects with child (leaf) objects in Active Roles -
설명
By default, Active Roles cannot delete an object that has a child object (i.e. leaf object) in Active Directory if it does not have native access to it. -
해결 방안
WORKAROUND
NOTE: Before proceeding, make sure the object to delete is a User class (objectClass=User) without belonging to any administrative groups by following these steps:
- Open the Attribute editor for the user
- Locate the attribute named Admin Count
- Ensure the value is null or not set to 1.
We can then enable this ability by setting the Active Roles "controls" to any value.For this example, we will focus on User Objects.
EXAMPLE
If user objects have child objects in Active Directory, Active Roles needs to implement a special parameter called Active Roles Controls for the Service Account even if the service account has Domain Admin rights to be able to delete child objects or also known as leaf objects. Follow the steps bellow in Active Roles MMC to enable this feature.
1. In the Active Roles Console create a custom script with onPreDelete function
2. Paste the following script text::
function onPreDelete($Request) { if($Request.class -ne 'user'){ return } $Request.PutInControl($Constants.EDS_CONTROL_TREE_DELETE,$Constants.ADSTYPE_CASE_IGNORE_STRING, "Any") }3. Then go to Policies/Administration and create a Provisioning Policy
4. Under Policy to Configure choose Script Execution
5. Under Script Module select the newly created custom script in step 2
6. Under Enforce Policy choose which Container this policy should apply to and then Finish the wizard
To confirm the script workaround, retry deleting the User Object with Child Object in Active Directory.
There is a related KB as well that demonstrates how to manually find and edit Permissions of the Child Object using ADSI natively.