Another Delete AD Account Question

I am trying to configure IDN to delete an AD Account. There are several posts on the subject and I have followed the advice given but still don’t seem to be able to delete an AD account.

I have setup the following configuration:
Identity Profile Provisioning: Lifecycle State: ‘preActive’; Configure Change: Enable Accounts; AD Source has been added to the list
Uploaded and attached the ‘Services Standard IdentityNow BeforeProvisioning Rule’ to the AD Source
Configured the Services Standard IdentityNow BeforeProvisioning Rule in the source to change the Enable operation to a Delete operation:

                {
                    "eventActions": [
                        {
                            "Action": "ChangeOperation",
                            "Attribute": null,
                            "Value": "Delete"
                        }
                    ],
                    "Identity Attribute Triggers": [
                        {
                            "Attribute": "cloudLifecycleState",
                            "Value": "preActive",
                            "Operation": "eq"
                        }
                    ],
                    "Operation": "Enable"
                }

I modify the lifecycle state (manually via the Admin UI) from inactive to preActive but the AD Account is not deleted.
The event log shows the change to lifecycle state and a Modify Account Passed operation - but nothing about ‘delete’.

To test that the trigger is firing in the rule, I have modified the eventAction from ‘ChangeOperation’ to ‘UpdateAttribute’ to set the info attribute on the AD Account - this works as expected.

Is there anything else I need to configure the enable the ChangeOperation to Delete to cause the AD Account to get deleted?

Hi @ady11
Could you please check this post once?
[IDN] Account Deletion BP Rule run but the accounts didn't delete - #16 by gourab

Thanks for the response Gourab.

I have configured the Identity Profile per the linked item (and other posts).

I have found the issue - but do not know how to resolve. The system event log shows the following error: “Exception occurred while executing the RPCRequest: Errors returned from IQService. “Error occurred while deleting the account [dn of the account removed]The directory service can perform the requested operation only on a leaf object. The directory service can perform the requested operation only on a leaf object. 00002015: UpdErr: DSID-031A121E, problem 6003 (CANT_ON_NON_LEAF), data 0 00002015: UpdErr: DSID-031A121E, problem 6003 (CANT_ON_NON_LEAF), data 0 . HRESULT:[0x80072015]. In order to delete a non-leaf object, ‘deletesubtree’ argument must be set as true in the account/object request.””

I have tried adding ‘AddAgrument’ in the rule configuration:

                {
                    "eventActions": [
                                                {
                            "Action": "AddArgument",
                            "Attribute": "deletesubtree",
                            "Value": "true"
                        },
                        {
                            "Action": "ChangeOperation",
                            "Attribute": null,
                            "Value": "Delete"
                        }
                    ],
                    "Identity Attribute Triggers": [
                        {
                            "Attribute": "cloudLifecycleState",
                            "Operation": "eq",
                            "Value": "preActive"
                        }
                    ],
                    "Operation": "Enable"
                }

But still get the same error.

Any ideas of of how to set the deletesubtree argument?

I found this Set deletesubtree to True when deleting AD accounts. Seems like people are using ps script instead bp rule to handle this use-case

Yes - looks like that is the only option!