Category Archives: 16503

Deleting AD Users with PowerShell – Why is a user not a leaf object?

I’ve been re-writing some automated processes around user account lifecycle recently, making use of the Active Directory PowerShell module on Windows Server 2012. Most recently this involved removing a large number of expired user accounts. On the first attempt of trying to remove the user objects I was receiving this error for a number of them, seemingly at random:

Remove-ADObject : The directory service can perform the requested operation only on a leaf object

So why would a user object in AD not be a leaf object? It turns out that when a user connects a device to Exchange with EAS, there’s an AD object created for that device inside the user object and that is what is stopping the user being a leaf object.

You might search for this and find advice on using Remove-ActiveSyncDevice before you remove the user. The trouble with that is that if you’ve got multiple versions of Exchange running in your org, then you might find that you can’t remove the ActiveSyncDevice for all your users with the same method.

It doesn’t matter anyway because the point is that the user isn’t a leaf; it has turned into a container, so what do you need to do to delete a container? Simply do a recursive remove. In the case of what I’ve been doing, this does the job:

$30daysago = (get-date).AddDays(-30)
Get-ADUser -filter {accountexpirationdate -lt $30daysago} | Remove-ADObject -Recursive

First taste of FIM

I’ve spent two days this week at Microsoft’s UK HQ at Thames Valley Park at an Identity Management event run by Oxford Computer Group – basically learning about Forefront Identity Manager (FIM) 2010 (and 2010 R2). It also gave me the opportunity to catch up with some old friends and make some new ones, which is always good.

My knowledge of FIM prior to this was based almost entirely on a collection of FIM Ramp Up videos on the TechNet site, although I have a reasonable about of experience of the challenges around Identity Management, having helped develop the in-house solution we use at Newcastle University today. Actually, it was nice to discover that the way FIM does a lot of things is very similar to the way that we designed our system all those years ago.

During the two days there were several instances where people would ask how something could be achieved with FIM. If the solution wasn’t built-in, the answer was typically “buy 3rd party companion product x, or use PowerShell”. That didn’t come as a surprise to me, but it underlined once again that if you have a bit of PowerShell knowledge, it can really save you some money.

Yes, there are some costs involved with learning PowerShell, but it’s mainly time (especially if you take advantage of all the free resources that the community has produced), and the skills that you learn will be transferable to a long and growing list of other technologies. You’re going to get the time you spend learning PowerShell back many times over (and frankly, if you don’t have those skills you’re going to be increasingly replacable in the future).

It’s not yet certain that we’re going to be implementing FIM (we’ll certainly be waiting until FIM 2010 R2 next year if we do), but the ability to extend its functionality with PowerShell, reducing the need for hardcore development or consultancy, definitely goes in its favour.

If you’re also new to FIM, the Microsoft Forefront Identity Manager 2010 Technical Overview is a really good place to start (thanks to Mark Parris for his blog post pointing me to that), as well as those TechNet Ramp Up videos.