Wednesday, October 19, 2005

Unable to Delete Active Directory Object

Whilst doing some tests on an Active Directory to do with permissions I removed all the permissions apart from SYSTEM. This proved what I wanted to prove, but I then could not delete the object or reset its permissions etc. to tidy up my test environment.

A search on the web for the problem returned one page and they had not solved it either. This was found here. Though they had deleted a user object and I had set permissions on an Exchange Server address list object I think the answer might be the same.

The problem in Exchange System Manager was "The specified directory service attribute or value does not exist" and "8007200a" when I tried to delete the object. Opening ADSI Edit would not let me delete the object (which appears as a notepad icon and not the folder icon it is supposed to be). Opening the object returns "An invalid directory pathname was passed" and deleting the object returns "This folder or one of its children has one or more property sheets up. Please close the property sheet before continuing with this action."

So taking the advice in the above link, and going a few steps further I managed to delete the object.

The key (in Windows Server 2003) is to use a command line tool called DSRM. This deletes active directory objects, but before it can be deleted the permissions need to be reset using another command line tool called DSACLS.
  1. Determine the distinguished name of the object. This is easiest to do in ADSI Edit by opening the parent item and copying the value of the distinguishedName property.
  2. Paste the copied distinguished name into Notepad and prepend to the text the name of the child object in the form of CN=child,distinguishedname.
  3. On the command line enter DSACLS "Distinguished Name" /A. The quotes are needed if there are spaces within the distinguished name. This will display the current permissions on the object for your interest.
  4. Repeat the above command but change the ending to /G Everyone:GA (remove the /A). This will grant full control to Everyone to this object. Remember that you are deleting this item so these permissions are temporary. This should be successful.
  5. Finally you can delete the object using DSRM if the object is a leaf object, but if not a leaf object then DSRM distinguishedName -subtree. It might also be possible to use ADSI Edit or the valid Active Directory administration tool to delete the object if the permission fix has worked.

1 comment:

Alphatucana said...

I seem to have the same error: unable to delete a computer object (PCNAME -Unknown computer, it says) in AD - it shows as a notepad, etc., as described, and gives the same error messages. When I try to delete it with DSRM after changing permissions, it fails, saying "No superior reference has been configured for the directory service. The directory service is therefore unable to issue referrals to objects outside this forest." Any ideas?