Delete User within Custom Command and Powershell

Question

Hello,

we cannot delete users with adminCount=1 with the buildin action "Delete the user" because of missing (adminSDHolder)permission to delete users as subtree.

How can I remove a user with Powershell? Code below deletes a user in the Adaxes domain but run in error for other connected domains.

$identity = "%distinguishedName%"
Remove-AdmUser -Identity $identity -Confirm:$False

regards Helmut

Comments

Hello Helmut,

we cannot delete users with adminCount=1 with the buildin action "Delete the user" because of missing (adminSDHolder)permission to delete users as subtree

What exactly do you mean? Could you, please, post here or send us (support[at]adaxes.com) a screenshot of the error message?

Code below deletes a user in the Adaxes domain but run in error for other connected domains.

Do we understand correctly that you have multiple AD domains registered in Adaxes and the provided code only works for users in the domain of the Adaxes service account (specified during the software installation) and fails for users in other domains?

Any additional information regarding the issue will be much appreciated.

---

Hello,

thanks for the reply. In the meanwhile I found a code snipped

$Context.TargetObject.DeleteObject("ADM_DELETEOBJECTFLAGS_AUTO")

that worked in all registed domains.

regards Helmut

Answer 1

Hello Helmut,

Thank you for specifying. However, we would recommend you to make sure that accounts used to register your domains in Adaxes have all the necessary permissions in the corresponding domains including Delete Subtree. By permissions here we mean native Active Directory permissions, not the ones granted by Adaxes Security Roles. For information on how to check/change the credential of a domain account, have a look at the following help article: https://www.adaxes.com/help/?HowDoI.ManageActiveDirectory.ManageDomains.ChangeManagedDomainLogonInfo.html.

Comments

Hello

for normal user accounts - no problem. For users with adminCount=1

• Security inheritance is disabled
• The ACL on the user/group is replaced with the ACL from the AdminSDHolder object in the System container in AD (a smaller, much more restrictive ACL)
• The adminCount attribute on the user/group is set to 1

https://specopssoft.com/blog/troubleshooting-user-account-permissions-adminsdholder/

Strategies here, from most to least recommended:

• Remove the user accounts or groups from the protected groups. Create separate dedicated admin accounts for users’ privileged access and excluding those admin accounts from self-service reset. Then clean up the original affected user accounts (this is what we recommend)
• Exclude certain groups (e.g. Account Operators) from AdminSDHolder using dsHeuristics, then proceed with user account cleanup.
• Grant the Adaxes service account permissions on all accounts affected by AdminSDHolder by updating the ACL on the AdminSDHolder object in AD. With this scenario there is no need for manual cleanup, however you now run the risk of having a service account with permissions to manipulate all of your Domain Admin and other high privilege accounts. This is NOT recommended.

Because owner of some domains still our customers, changes are not as easy as described in some MS articles.

regards Helmut

---

Hello Helmut,

for normal user accounts - no problem. For users with adminCount=1

Sorry for the confusion, but we are not sure what exactly the issue is at the moment. Do you still face error messages when deleting user accounts? If that is correct, please, post here or send us (support[at]adaxes.com) a screenshot of the error message and specify how exactly you attempt to delete users.

Grant the Adaxes service account permissions on all accounts affected by AdminSDHolder

It is not required and moreover will not work as all Ad related operations in a managed domain are performed with the credential of the account used to register the domain in Adaxes. The Adaxes service account (specified during Adaxes installation) is not used.