Set deletesubtree to True when deleting AD accounts

We are deleting AD accounts once users are in a terminated state. However some accounts have child objects and the SVC can’t delete them unless “deletesubtree” is set to true.

Exception occurred while executing the RPCRequest: Errors returned from IQService. "Error occurred while deleting the account CN=Approve\, Aaron,OU=Users,OU=FCIB DEV Users,DC=widev,DC=FCdev,DC=comThe directory service can perform the requested operation only on a leaf object. The directory service can perform the requested operation only on a leaf object. 00002015: UpdErr: DSID-031A123C, problem 6003 (CANT_ON_NON_LEAF), data 0 00002015: UpdErr: DSID-031A123C, problem 6003 (CANT_ON_NON_LEAF), data 0 . HRESULT:[0x80072015]. In order to delete a non-leaf object, 'deletesubtree' argument must be set as true in the account/object request."

We tried using UpdateAttribute in beforeProvisioning rule to set this attribute to true but it either takes issue with the fact that it is a boolean and can’t convert it to string (when using "Value": true) or generates the same error (when using "Value": "true"). Any advise?

P.S: I have thought about using a before delete rule to add this flag but I’m not quite sure how I can leverage it using PowerShell.

We ran into this issue recently. In our case, we used to have ActiveSync in our environment, and that created leaf objects for any accounts using ActiveSync.

We were not able to find a solution in ISC. The problem is that you have to modify the Delete command itself. Potentially you could use a Rule to call a PowerShell script to do delete, instead of having ISC natively do it. We decided we didn’t want to spend the time on creating a Rule.

We ended up writing a standalone PowerShell script to strip the ActiveSync leafs from all accounts. Ran that one time, and haven’t had any issues with Delete via ISC.

I managed to solve this using a Before Delete Rule and then calling a local IQService script which adds deletesubtree as an attributeRequest to the requestObject.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.