0 votes

Hello,

we cannot delete users with adminCount=1 with the buildin action "Delete the user" because of missing (adminSDHolder)permission to delete users as subtree.

How can I remove a user with Powershell? Code below deletes a user in the Adaxes domain but run in error for other connected domains.

$identity = "%distinguishedName%"
Remove-AdmUser -Identity $identity -Confirm:$False

regards Helmut

by (510 points)
0

Hello Helmut,

we cannot delete users with adminCount=1 with the buildin action "Delete the user" because of missing (adminSDHolder)permission to delete users as subtree

What exactly do you mean? Could you, please, post here or send us (support[at]adaxes.com) a screenshot of the error message?

Code below deletes a user in the Adaxes domain but run in error for other connected domains.

Do we understand correctly that you have multiple AD domains registered in Adaxes and the provided code only works for users in the domain of the Adaxes service account (specified during the software installation) and fails for users in other domains?

Any additional information regarding the issue will be much appreciated.

0

Hello,

thanks for the reply. In the meanwhile I found a code snipped

$Context.TargetObject.DeleteObject("ADM_DELETEOBJECTFLAGS_AUTO")

that worked in all registed domains.

regards Helmut

1 Answer

0 votes
by (294k points)

Hello Helmut,

Thank you for specifying. However, we would recommend you to make sure that accounts used to register your domains in Adaxes have all the necessary permissions in the corresponding domains including Delete Subtree. By permissions here we mean native Active Directory permissions, not the ones granted by Adaxes Security Roles. For information on how to check/change the credential of a domain account, have a look at the following help article: https://www.adaxes.com/help/?HowDoI.ManageActiveDirectory.ManageDomains.ChangeManagedDomainLogonInfo.html.

0

Hello

for normal user accounts - no problem. For users with adminCount=1

  • Security inheritance is disabled
  • The ACL on the user/group is replaced with the ACL from the AdminSDHolder object in the System container in AD (a smaller, much more restrictive ACL)
  • The adminCount attribute on the user/group is set to 1

https://specopssoft.com/blog/troubleshooting-user-account-permissions-adminsdholder/

Strategies here, from most to least recommended:

  • Remove the user accounts or groups from the protected groups. Create separate dedicated admin accounts for users’ privileged access and excluding those admin accounts from self-service reset. Then clean up the original affected user accounts (this is what we recommend)
  • Exclude certain groups (e.g. Account Operators) from AdminSDHolder using dsHeuristics, then proceed with user account cleanup.
  • Grant the Adaxes service account permissions on all accounts affected by AdminSDHolder by updating the ACL on the AdminSDHolder object in AD. With this scenario there is no need for manual cleanup, however you now run the risk of having a service account with permissions to manipulate all of your Domain Admin and other high privilege accounts. This is NOT recommended.

Because owner of some domains still our customers, changes are not as easy as described in some MS articles.

regards Helmut

0

Hello Helmut,

for normal user accounts - no problem. For users with adminCount=1

Sorry for the confusion, but we are not sure what exactly the issue is at the moment. Do you still face error messages when deleting user accounts? If that is correct, please, post here or send us (support[at]adaxes.com) a screenshot of the error message and specify how exactly you attempt to delete users.

Grant the Adaxes service account permissions on all accounts affected by AdminSDHolder

It is not required and moreover will not work as all Ad related operations in a managed domain are performed with the credential of the account used to register the domain in Adaxes. The Adaxes service account (specified during Adaxes installation) is not used.

Related questions

0 votes
1 answer

I had a business rules that had a PowerShell script to update User properties in a SQL table. It was working fine. I moved the PowerShell to a custom command so I could ... in the custom command does get the values for the User object. Am I missing something?

asked Jun 2, 2014 by sdavidson (730 points)
0 votes
1 answer

Hello, Is it possible to execute a custom command after creating a user, with the intention to prompt the end user for more information? For example we have a User ... would then prompt for a 'Country' to be specified from a param dropdown list. Thanks

asked Mar 10, 2022 by bavery (250 points)
0 votes
1 answer

Is there a way to get the name of the user who approved a request and supply that to a step inside of a custom command? For example, HR submits a status change for an employee. ... and pass it as a param in a custom command that is called in one of the steps?

asked May 12, 2021 by davfount90 (20 points)
0 votes
1 answer

Hello, I'd like setup a new custom command on the Administrator dashboard that would run the following tasks against a disabled user account simultaneously. Enable their account ... the email when using the %unicodePwd% value. Is there a workaround for this?

asked Apr 23, 2020 by sirslimjim (480 points)
0 votes
1 answer

Is it possible to reset a password and force the user to change password at next login within the same action of a custom command? When they are split out into ... like to request this functionality be added to the reset password action in the future.

asked Mar 20, 2020 by yourpp (540 points)
3,588 questions
3,277 answers
8,303 comments
548,090 users