locked
Unable to delete disabled AD account with CN=ExchangeActiveSyncDevice even though inherit permissions is checked through MIIS RRS feed

  • Question

  • Hi Experts,

    one of our clients uses MIIS to manage some of the AD users, The issue here we are facing is we are unable to delete disabled accounts which were enabled for ActiveSync and have a child object created as CN=ExchangeActiveSyncDevice. I have read other blogs with this same issue which was solved by checking "inherit permission", I have checked these users and found they already have the check mark. Also the service account used by MIIS is listed in Domain Admins group and has full control permissions on the user object. These disabled user objects can be deleted manually but when tried from MIIS it does not.

    Can I have some help and pointers please.

    Thank you.

    Heman Gupta
    Thursday, May 2, 2013 4:25 AM

All replies

  • The AD management agent will only delete leaf objects.  I believe that in my testing (quite some time ago) in ILM and FIM that if the object type of child object under the user was not included in the MA's scope, it was willing to move the object but I think it will still refuse to delete the object.  You would first have to delete the child object.  If you include the child objects in the AD MA scope and import them, MIIS probably won't even be willing to move the object (which you may or may not be trying to do).

    The problem you face is probably not a permissions problem, which you can verify by running ADUC as the AD MA service account and deleting the user, if you haven't already done so.  It is a limitation of the software and the Active Directory management agent provided.  The best you could do is move the objects to be deleted to a "burn bin" OU and periodically delete them manually or schedule a script to run.  If you schedule a script to run, it would be best to limit that service account's power and scope of control.

    I'm not sure if this limitation has been overcome in current versions of FIM 2010 or not.  My day job is in an environment that never deletes an object automatically.

    Chris

    Thursday, May 2, 2013 9:31 PM
  • This issue has been resolved in FIM2010. As Chris says, this is because the call to AD to delete a non-leaf object is different than a leaf object. In FIM2010 we will do a cascade delete if the object type is a user object.
    Thursday, May 16, 2013 3:43 PM