none
Cannot remove user from AD, access is denied

    Question

  • I'm trying to remove a user from our AD using Adsiedit but I get this error:

    Operation failed. Error code: 0x5 Access is denied.
    00000005: SecErr:DSID-031A1256, problem 4003
    (INSUFF_ACCESS_RIGHTS), data 0

    I removed all permissions, made myself owner and gave myself full permissions but still same error.

    Somehow the user is messed up because it isn't visible in Users and Computers. When I check the account properties I also noticed that the sAMAccountType is 805306370 (TRUST_ACCOUNT).


    • Edited by MD_1977 Wednesday, January 4, 2017 12:25 PM
    Wednesday, January 4, 2017 12:24 PM

Answers

  • This account is a trust account and shouldn't be deleted manually (I figured out).

    I'm still wondering how and why this account was mail enabled.

    I'm also still wondering what trust is using this account.

    Please consider this issue as closed, although I still have the questions above.

    Thanks everyone for your response.

    • Marked as answer by MD_1977 Monday, January 16, 2017 7:04 AM
    Monday, January 16, 2017 7:04 AM

All replies

  • Hello,

    Can you check if the object is marked as "Protected from accidental deletion"? If so, you would need to remove that bit.

    /Regards

    Wednesday, January 4, 2017 1:11 PM
  • I cannot check this because the user is only visible in Adisiedit.

    Besides of that, the Protection bit isn't an AD property, it only adds a Deny entry into the permissions. I already removed every listed permission entry, so I don't think this is the issue.

    Wednesday, January 4, 2017 1:17 PM
  • > the sAMAccountType is 805306370 (TRUST_ACCOUNT).
     
    You cannot delete Trust accounts that way. You have to use domain.msc and delete the trust. If it is not there, create it with the same name (in this domain only) and try again.
     
    Wednesday, January 4, 2017 2:43 PM
  • I read something about this before but it really doesn't make any sense to me. What does a corrupt user has to do with a non existing trust?

    Anyway. The user has a common name of nl123, so should I create a trust with that name?

    Wednesday, January 4, 2017 8:17 PM
  • Hi,
    Not sure is whether this account is legacy of a trust which was set up before, in order to remove this account, please have a try:
    Recreate two-way trusts with ADDT: Active Directory Domains and Trusts. After the recreation of the trust, remove it and then see if it works.
    Here is a similar problem in the following thread, you could refer to more details:
    Cannot delete an user that only shows in ADSIEdit
    https://social.technet.microsoft.com/Forums/en-US/2feb31e6-cc2b-486f-9a67-c5c98d5582b2/cannot-delete-an-user-that-only-shows-in-adsiedit?forum=winserverDS
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, January 5, 2017 2:54 AM
    Moderator
  • What is the value of userAccountControl attribute? Can you post a full LDIF dump of the object so we can see all values set?

    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

    Thursday, January 5, 2017 3:44 AM
  • Ok, there you go:

    Expanding base 'CN=NL123,CN=Users,DC=internal,dc=domain,dc=local'...
    Getting 1 entries:
    Dn: CN=NL123,CN=Users,DC=internal,dc=domain,dc=local
    accountExpires: 9223372036854775807 (never); 
    badPasswordTime: 0 (never); 
    badPwdCount: 0; 
    cn: NL123; 
    codePage: 0; 
    countryCode: 0; 
    displayName: NL123; 
    distinguishedName: CN=NL123,CN=Users,DC=internal,dc=domain,dc=local; 
    dSCorePropagationData (5): 1/4/2017 12:58:31 PM W. Europe Standard Time; 1/4/2017 12:56:15 PM W. Europe Standard Time; 1/4/2017 12:48:04 PM W. Europe Standard Time; 1/4/2017 11:36:25 AM W. Europe Standard Time; 0x0 = (  ), 0x0 = (  ), 0x0 = (  ), 0x0 = (  ); 
    homeMDB: CN=STE-FP0001-P,CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=company,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=internal,dc=domain,dc=local; 
    instanceType: 0x4 = ( WRITE ); 
    isCriticalSystemObject: TRUE; 
    lastLogoff: 0 (never); 
    lastLogon: 0 (never); 
    legacyExchangeDN: /o=company/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=user177af992; 
    logonCount: 0; 
    mail: foutief@domain.local; 
    mailNickname: NL123; 
    mDBUseDefaults: TRUE; 
    msExchArchiveQuota: 104857600; 
    msExchArchiveWarnQuota: 94371840; 
    msExchCalendarLoggingQuota: 6291456; 
    msExchDumpsterQuota: 31457280; 
    msExchDumpsterWarningQuota: 20971520; 
    msExchELCMailboxFlags: 130; 
    msExchHideFromAddressLists: TRUE; 
    msExchHomeServerName: /o=company/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=STE-EX0001-P; 
    msExchMailboxGuid: 04a1d11b-3635-4d65-a627-91500f5a2ede; 
    msExchMailboxSecurityDescriptor: O:PSG:PSD:AI(A;CI;CCRC;;;PS)(A;CI;CC;;;S-1-5-21-2678953269-206826029-320639463-1108); 
    msExchPoliciesExcluded: {26491cfc-9e50-4857-861b-0cb8df22b5d7}; 
    msExchPreviousHomeMDB: CN=STE-FP0001-P,CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=company,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=internal,dc=domain,dc=local; 
    msExchRBACPolicyLink: CN=Default Role Assignment Policy,CN=Policies,CN=RBAC,CN=company,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=internal,dc=domain,dc=local; 
    msExchRecipientDisplayType: 1073741824; 
    msExchRecipientTypeDetails: 1; 
    msExchTextMessagingState (2): 302120705; 16842751; 
    msExchUMDtmfMap (3): lastNameFirstName:65123; firstNameLastName:65123; emailAddress:3688433; 
    msExchUserAccountControl: 0; 
    msExchVersion: 88218628259840; 
    msExchWhenMailboxCreated: 20170102084739.0Z; 
    name: NL123; 
    objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=internal,dc=domain,dc=local; 
    objectClass (4): top; person; organizationalPerson; user; 
    objectGUID: 0854e51d-ad4a-407c-8703-15a31bfc3137; 
    objectSid: S-1-5-21-2678953269-206826029-320639463-10477; 
    primaryGroupID: 513 = ( GROUP_RID_USERS ); 
    proxyAddresses: SMTP:foutief@domain.local; 
    pwdLastSet: 1/4/2017 2:12:45 PM W. Europe Standard Time; 
    sAMAccountName: NL$; 
    sAMAccountType: 805306370 = ( TRUST_ACCOUNT ); 
    showInAddressBook (2): CN=All Mailboxes(VLV),CN=All System Address Lists,CN=Address Lists Container,CN=company,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=internal,dc=domain,dc=local; CN=All Recipients(VLV),CN=All System Address Lists,CN=Address Lists Container,CN=company,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=internal,dc=domain,dc=local; 
    userAccountControl: 0x820 = ( PASSWD_NOTREQD | INTERDOMAIN_TRUST_ACCOUNT ); 
    userPrincipalName: NL123@internal.domain.local; 
    uSNChanged: 6081782; 
    uSNCreated: 652007; 
    whenChanged: 1/4/2017 2:12:45 PM W. Europe Standard Time; 
    whenCreated: 8/5/2016 10:40:43 AM W. Europe Standard Time; 

    Thursday, January 5, 2017 9:32 AM
  • Can you try update userAccountControl to 0x200 (512) using LDP.exe or ADSIEDIT.msc:

    https://support.microsoft.com/en-us/kb/305144

    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

    Thursday, January 5, 2017 10:54 AM
  • Try the below , this is for deletion of SID history, that will help:

    https://support.microsoft.com/en-us/kb/295758

    Thursday, January 5, 2017 11:08 AM
  • When I try to update the userAccountControl is gives me the same access is denier error.

    Deletion of SID history doesn't make sense as there is no SID history at all.

    To clarify some things. This account was just a ordinary user with a mailbox which became -somehow- corrupted. 

    How can I see which accounts are uses by which trusts?


    • Edited by MD_1977 Friday, January 6, 2017 7:18 AM
    Friday, January 6, 2017 7:15 AM
  • Hi,
    You could have a try to check if you could find the related information about the trust from the following registry on PDC:
    HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Accounts\Users\Names\<trustEDdomainname>$
    Please see details from: http://www.windowsnetworking.com/kbase/WindowsTips/WindowsNT/RegistryTips/Network/Interdomaintrustaccount.html
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, January 9, 2017 2:45 AM
    Moderator
  • The registry on our 2012R2 domain controller is empty, well the SAM\SAM branch I mean. 

    The article you mentioned is 13 years old. I guess something is changed in these years.

    However, I still don't understand how an ordinary user account can transform into a used trust account.

    Monday, January 9, 2017 9:50 AM
  • Hi,
    In my experience, it is hard to figure out the root cause, maybe, there was a trust account before which had the same name with this ordinary user account.
    In addition, how about to open up a case with Microsoft Technical Support to see if they could get more information regarding this problem: https://support.microsoft.com/en-us/contactus/?ws=support
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, January 12, 2017 2:03 AM
    Moderator
  • I did some further investigation and it looks like it is a trust account after all.

    The creation date of the account is roughly the same as the date some trusts were created. I'm still looking for the command to see which trusts uses which account.

    I'm also still wondering how an helpdesk employee (without domain admin rights), managed to mail enable such account and turn it into a "normal" user account.

    Well, thanks for all the responses anyway. 

    Friday, January 13, 2017 9:13 AM
  • Hi,
    If you want to make this account normal, you may need to use an account with domain admin right to delete it firstly and then recreate it. I doubt that an account without admin rights could make this done easily, just for suggestion.
    In addition, thank you for the feedback and update, if you resolve it using your own solution, please share your experience and solution here and we would appreciate you to mark them as answers. It will be greatly helpful to others who have the same question.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com


    Monday, January 16, 2017 2:32 AM
    Moderator
  • This account is a trust account and shouldn't be deleted manually (I figured out).

    I'm still wondering how and why this account was mail enabled.

    I'm also still wondering what trust is using this account.

    Please consider this issue as closed, although I still have the questions above.

    Thanks everyone for your response.

    • Marked as answer by MD_1977 Monday, January 16, 2017 7:04 AM
    Monday, January 16, 2017 7:04 AM