none
Deprovision access denied RRS feed

  • Question

  • I have deleted some user objects from the FIM portal but get "access denied" errors when I want to "export" those deletions to AD. Creating & modifying user objects from FIM to AD has no issues.

    Checked the FIM ADMA account but that appears to have the right permissions to delete objects from that particular OU and downwards. What am i missing.

    Thanks,

    JD

    Wednesday, May 20, 2015 11:07 AM

All replies

  • Hi,

    if the user account have administrative permissions in AD then AdminSGHolder could be the reason.

    or maybe permission are not inherited correctly to some objects.

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    Wednesday, May 20, 2015 12:14 PM
  • Thanks Peter. Had a look on 1 of the OUs from which FIM is trying to delete a user object. Did an "effective access" assesment for the FIM ADMA account and it has (amongst other permissions):

    • Delete
    • Delete all child objects
    • Delete contact objects
    • Delete account objects

    Not sure what you mean with AdminSGHolder might be causing issues.

    Update: deprovisioning of groups works fine.

    JD
    • Edited by JOTdude Thursday, May 21, 2015 7:05 AM
    Thursday, May 21, 2015 5:12 AM
  • +1 for Peter's suggestion. I think he may have misspelled, it is called AdminSDHolder. Have a look here - https://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx

    You can also have at the user that it is trying to delete - to see if it has a property set called 'adminCount' and/or has Inherit permission unticked under the Security pane.

    Regards, Soren Granfeldt
    blog is at http://blog.goverco.com | facebook https://www.facebook.com/TheIdentityManagementExplorer | twitter at https://twitter.com/#!/MrGranfeldt

    Thursday, May 21, 2015 9:56 AM
  • Have you checked to see if the object you're trying to delete has "protect this object from accidental deletion" set?  There is a checkbox put on OUs now when they are created via ADUC by default now, and I am thinking that there may be a similar idea for user objects too - if I recall correctly.

    Bob Bradley (FIMBob @ TheFIMTeam.com) ... now using FIM Event Broker for just-in-time delivery of FIM 2010 policy via the sync engine, and continuous compliance for FIM

    • Proposed as answer by UNIFYBobMVP Thursday, August 13, 2015 11:35 AM
    Saturday, May 30, 2015 5:05 PM
  • More recently for me this turned out to be a case of permission inheritance being (misguidedly in this case) turned off for an OU containing a bunch of privileged user accounts - correction was turning inheritance back on.

    Bob Bradley (FIMBob @ TheFIMTeam.com) ... now using FIM Event Broker for just-in-time delivery of FIM 2010 policy via the sync engine, and continuous compliance for FIM

    Saturday, December 5, 2015 7:33 AM
  • It will also need delete subtree on the User objects. (The AD MA does a delete subtree rather than straight delete.)
    Monday, December 7, 2015 10:49 AM