Scheduled task failing to delete domain admin user objects

Question

Hi

We have a couple of scheduled tasks set up to remove accounts which have been disabled for a perios of time. This works fine for normal user accounts, but we have some privileged accounts which are or have at some point been part of the domain admins groups (many domains) and which the scheduled task is reporting an access denied when it runs.

Our Adaxes service account is enterprise admin and I can manually delete these accounts through the Adaxes console.

Is there something special which needs to be done in order for Adaxes to be able to remove current and former domain admin accounts?

We're running the latest version of Adaxes

Thanks

Matt

Comments

Hello Matt,

For troubleshooting purposes, please, provide us with a screenshot of the scheduled task configuration and the error. Also, a screenshot of the delete operation execution log will be very helpful. For information on how to view it, have a look at the corresponding section of the following tutorial: https://www.adaxes.com/tutorials_ActiveDirectoryManagement_ViewADOperationsPerformedViaAdaxes.htm.

You can post the screenshots here or send to us at support@adaxes.com.

---

Hi

Screen shots as requested

Scheduled task

Business unit the task runs against

Activity history of the task

And in case it helps, the task successfully removing an account which was never a domain admin

Thanks

Matt

Answer 1

Hello Matt,

The thing is that manual object deletion works differently from the one in scheduled tasks. The issue you are facing occurs because the domain service account specified in Adaxes does not have the Delete Subtree permission. By permission here we mean the native AD one, not that granted by Adaxes security roles. For information on how to check/change the domain account, see https://www.adaxes.com/help/ChangeManagedDomainServiceAccount. Delegating the permissions should fix the issue.

Comments

Thanks for the information, it makes no sense to me that Enterprise Admins don't have delete subtree for these account!

I've worked around it by adding a script to the scheduled task to grant the service account delete subtree permisison to the user before it tries to delete them. We still get an error the first time it tried to remove it, but the second time the account is deleted which works for me :)

In case anyone else runs into this, my script is

Import-Module ActiveDirectory

#Get the existing ACL for the user
$acl = get-acl -path "ad:%distinguishedName%"

#Get the details of the Adaxes service account
$user = get-aduser -identity <service account name here>
$sid = [System.Security.Principal.SecurityIdentifier] $user.SID
$identity = [System.Security.Principal.IdentityReference] $SID

#Build new ACL for the user
$adRights = [System.DirectoryServices.ActiveDirectoryRights] "DeleteTree"
$type = [System.Security.AccessControl.AccessControlType] "Allow"
$inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
$ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$inheritanceType
$acl.AddAccessRule($ace)

#Set the ACL for the user
Set-acl -aclobject $acl "ad:%distinguishedName%"

---

Hello Matt,

As another option, you can try using one of the following scripts instead of the Delete the user action:

$Context.TargetObject.DeleteObject("ADM_DELETEOBJECTFLAGS_AUTO")

$Context.TargetObject.DeleteObject("ADM_DELETEOBJECTFLAGS_SUBTREE")

$Context.TargetObject.DeleteObject("ADM_DELETEOBJECTFLAGS_LEAF")