Error when removing AD accounts wth child objects - 6003 (CANT_ON_NON_LEAF)

Hello Team.

Recently we have stumbled upon the error mentioned in the title dring termination of AD accounts from IdentityNow. These accounts have child objects connected to their AD accounts which are interfering with the cloud rule that is deleting AD accounts on termination.

Currently we are using the “Services Standard IdentityNow BeforeProvisioning Rule” which is a Cloud Rule Sailpoint implemented into our tenant and lets us delete AD accounts at a certain LCS. Documentation for that rule: Services Standard IdentityNow BeforeProvisioning Rule - README.pdf (68.5 KB)

To remove AD accounts with child objects it seems like we need to use the -Recursive command in Powershell but I don’t see how that is possible as we are using this generic Rule.

Is there any way to fix this issue, either via the Rule or somehow inside of Active Directory without having to execute any external script?

Error screenshot:

Hello Sebastian,
Where u able to fix the issue?
If so pls share as i have a similar issue.

Thanks

I would suggest trying to add a Deletion Policy on the source (create-provisioning-policy | SailPoint Developer Community) which has a field named deleteSubTree with a boolean value of true. See these associated Compass articles for more info:

• https://community.sailpoint.com/t5/IdentityIQ-Forum/Active-Directory-connector-doesn-t-delete-user-object/m-p/122195
• https://community.sailpoint.com/t5/IdentityIQ-Forum/The-directory-service-can-perform-the-requested-operation-only/td-p/9490

Always good to check on the permissions of your service account as well.

Is this possible for IdentityNow? The posts you linked to are both IIQ related.

Hello Michael!

Yes,
We are now using a powershell script via a BeforeModify Rule to delete all leaf-objects on user accounts at a certain lifecycle state in Active Directory.

The connector framework is the same as IIQ, so you just need to set up the policy with the API endpoint I provided.