0 votes

Hi

We have a couple of scheduled tasks set up to remove accounts which have been disabled for a perios of time. This works fine for normal user accounts, but we have some privileged accounts which are or have at some point been part of the domain admins groups (many domains) and which the scheduled task is reporting an access denied when it runs.

Our Adaxes service account is enterprise admin and I can manually delete these accounts through the Adaxes console.

Is there something special which needs to be done in order for Adaxes to be able to remove current and former domain admin accounts?

We're running the latest version of Adaxes

Thanks

Matt

by (2.0k points)
0

Hello Matt,

For troubleshooting purposes, please, provide us with a screenshot of the scheduled task configuration and the error. Also, a screenshot of the delete operation execution log will be very helpful. For information on how to view it, have a look at the corresponding section of the following tutorial: https://www.adaxes.com/tutorials_ActiveDirectoryManagement_ViewADOperationsPerformedViaAdaxes.htm.

You can post the screenshots here or send to us at support@adaxes.com.

0

Hi

Screen shots as requested

Scheduled task Scheduled Task.png

Business unit the task runs against Business Unit.png

Activity history of the task Activity History.png

And in case it helps, the task successfully removing an account which was never a domain admin Successful Task.png

Thanks

Matt

1 Answer

0 votes
by (289k points)

Hello Matt,

The thing is that manual object deletion works differently from the one in scheduled tasks. The issue you are facing occurs because the domain service account specified in Adaxes does not have the Delete Subtree permission. By permission here we mean the native AD one, not that granted by Adaxes security roles. For information on how to check/change the domain account, see https://www.adaxes.com/help/ChangeManagedDomainServiceAccount. Delegating the permissions should fix the issue.

0

Thanks for the information, it makes no sense to me that Enterprise Admins don't have delete subtree for these account!

I've worked around it by adding a script to the scheduled task to grant the service account delete subtree permisison to the user before it tries to delete them. We still get an error the first time it tried to remove it, but the second time the account is deleted which works for me :)

In case anyone else runs into this, my script is

Import-Module ActiveDirectory

#Get the existing ACL for the user
$acl = get-acl -path "ad:%distinguishedName%"

#Get the details of the Adaxes service account
$user = get-aduser -identity <service account name here>
$sid = [System.Security.Principal.SecurityIdentifier] $user.SID
$identity = [System.Security.Principal.IdentityReference] $SID

#Build new ACL for the user
$adRights = [System.DirectoryServices.ActiveDirectoryRights] "DeleteTree"
$type = [System.Security.AccessControl.AccessControlType] "Allow"
$inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
$ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$inheritanceType
$acl.AddAccessRule($ace)

#Set the ACL for the user
Set-acl -aclobject $acl "ad:%distinguishedName%"
+1

Hello Matt,

As another option, you can try using one of the following scripts instead of the Delete the user action:

$Context.TargetObject.DeleteObject("ADM_DELETEOBJECTFLAGS_AUTO")
$Context.TargetObject.DeleteObject("ADM_DELETEOBJECTFLAGS_SUBTREE")
$Context.TargetObject.DeleteObject("ADM_DELETEOBJECTFLAGS_LEAF")

Related questions

0 votes
1 answer

Similar to Powershell's "whatif"? I'd like to enable this scheduled task - But would like to confirm who will actually be affected before enabling this. Is there at least ... objects in the console log? I could run that before adding the 'modify' actions back.

asked Jun 25 by msinger (210 points)
0 votes
1 answer

The script create two reports of inactive workstation operating systems. The report is too detailed to run from one of the adaxes reports. Basically how can I set the script up to ... sure How I did this but I can't find it now (probably something simple).

asked Nov 30, 2022 by mightycabal (1.0k points)
0 votes
1 answer

UPDATE: Fixed this, turns out there was a request with no approver, denied the request and it works as normal now. I have a scheduled task that has been working ... ) if ([System.DateTime]::Now -lt $requestExpDate) { continue } HandleExpiredRequest($request) }

asked Jun 24, 2015 by bistromath (840 points)
0 votes
1 answer

Hello, I would like to create a custom command "Add domain user to local admin group". The powershell command to execute this is quite easy. Where I'm struggling is another ... exist. Is it possible to create such a task without a custom form? Many thanks.

asked Aug 29, 2017 by HorstR (460 points)
0 votes
1 answer

I have a scheduled task that runs the following PowerShell script. $user = New-AdmUser -Server $domain -AdaxesService localhost -Path $workdayDn -ChangePasswordAtLogon $true -PassThru - ... ) over all objects. I'm stumped! Any help would be super appreciated.

asked Sep 5 by emeisner (100 points)
3,547 questions
3,238 answers
8,232 comments
547,809 users