none
FIM 2010 R2 - It is not possible to delete a user (Error: permission-issue, Error code: 5, Access denied) RRS feed

  • Question

  • We have several domains  to manage for our customers, so we have installed "FIM 2010 R2" to manage our admin-accounts. But if I now try to delete a user, by deletion from the "User Set", I get this error (please note the screenshot) after synchronization.

    Error

    Running management agent:

    AD MA xyz

    Error:

    Permission-issue

    Latest occurrence:

    07.05.2015 15:30:06

    Initial occurrence:

    07.05.2015 11:07:22

    Retry count:

    15

    Connected data source error code:

    5

    Connected data source error :

    Access is denied.


    I don't get more information about this error, not in the eventvwr and also not in the FIM-Panel even. 

    Maybe someone knows more about this issue I would be very thankful for helping to solve this problem.

    If more information is needed let me know what kind of.

    Thank you

    Thursday, May 7, 2015 2:31 PM

All replies

  • This means that the account that AD MA runs under, does not have the right to delete this object.  The ad admin account may have extra security. 


    Nosh Mernacaj, Identity Management Specialist

    • Proposed as answer by UNIFYBobMVP Monday, May 11, 2015 2:20 PM
    Thursday, May 7, 2015 2:51 PM
  • Hi,

    This is clearly a privilege issue for Active Directory Management Agent Account. 

    What ever Account you are using into your ADMA should have equivalent or higher privileges into Active Directory then the Accounts you are trying to delete.


    If My Answer helps you do not forget to check helpful post and If answers your question do not forget to "Mark it as an Answer" Thanks~ Giriraj Singh Bhamu

    Friday, May 8, 2015 10:54 AM
  • Hi,

    I have the same problem as mala1988, when trying to delete an AD admin-account via FIM Active Directory Management Agent. (Error: Permission-issue / Access is denied.)

    But I have no problems to delete the user manually via AD GUI with the same UserID as the FIM AD-MA is configured.

    I'm using the newest FIM Version 4.1.3646.0

    Monday, August 17, 2015 7:29 AM
  • The AD MA is attempting a delete sub-tree rather than deleting the single object which the Active Directory Users & Computers will do.

    Check the account configured in the AD MA has the delete sub-tree permission on the user.

    Monday, August 24, 2015 10:10 AM
  • The account configured in the AD MA is domain admin.

    The account I'm attempting to delete has no subtree.

    Monday, August 24, 2015 3:13 PM
  • The issue is with the account being deleted. These accounts are protected from being accidentally deleted. As it stands, you will not be able to delete it via FIM. 

    Nosh Mernacaj, Identity Management Specialist

    Monday, August 24, 2015 3:15 PM
  • Ok, probably a different problem if it is a domain admin with permissions to delete.

    Even if a the user object doesn't have any children FIM will still do a delete subtree. It is for cases where there are ActiveSync objects under the user etc.

    Monday, August 24, 2015 3:16 PM
  • Additionaly, I'd suggest looking for value of AdminCount attribute of affected account, as it might be the case.
    Wednesday, August 26, 2015 8:16 AM
  • I changed the AdminCount attribute value from 1 to 0 but I am still not able to delete the AD Admin Account with FIM.

    Is it true, that I'm not able to delete a AD Admin Account through the standard AD MA with FIM?

    (the account configured in the AD MA is a Domain Admin Account)
    • Edited by fairtec Wednesday, August 26, 2015 9:13 AM
    Wednesday, August 26, 2015 9:05 AM
  • I just ran into this as well. Marc Hancock suggestion was the one that did it for me: make sure Delete Subtree permissions are granted to the AD MA account.

    I've always used the approach where the AD MA account has Create Child, Delete Child (user) permissions. But somehow this isn't enough. A move works, but a delete doesn't... Not sure if FIM 2010 behaves differently than FIM 2010 R2.

    That's how Paul Williams describes it as well: http://blog.msresource.net/2011/12/07/delegating-the-minimum-set-of-permissions-for-user-provisioning/

    But for deleting a user this seems to be insufficient. After granting Delete Subtree, FIM is now able to delete the user. Here's how I did this using dsacls.

    dsacls "OU=Disabled Users,DC=Contoso,DC=com" /I:S /G CONTOSO\UserAdmins:SDDT;;user


    http://setspn.blogspot.com

    Wednesday, September 9, 2015 12:47 PM