Cannot Deprovision AD user with nested leaf objects
We are running FIM 2010 4.0.3594.2, with an Active Directory Management Agent configured with Exchange 2010. The AD MA is configured to deprovision a user after X amount of days via coded provisioning rules. This works for all users except those that have an Exchange ActiveSync device (used for mobile connectivity). I noticed that on specific users deprovisioning fails with an error: "The directory service can perform the requested operation only on a leaf object." This is due to the fact that their ActiveSync device is created as a container object under their user object. Therefore user "cn=Smith, Paul" might have a container object "CN=ExchangeActiveSyncDevices" which then has entries to each paired device. Is there a setting I can set to force the AD MA to delete user objects and their nested objects? Just like how there is a "Configure Provisioning Hierachy" you would think there would be a deprovision hierachy that could be set as well. Currently, we don't want FIM to manage ActiveSync devices as I realize that could be a solution.
February 23rd, 2012 11:31am

I've seen this as well, though not consistently. I had theorized that there was a permissions issue on the ActiveSync device object container but never followed through.My Book - Active Directory, 4th Edition My Blog - www.briandesmond.com
Free Windows Admin Tool Kit Click here and download it now
February 23rd, 2012 11:57am

I don't know why I didn't think about checking the permissions of the child container. After looking I noticed that the MA account has rights to delete the user but not the nested Active Sync device. I'll look into it more and post my findings. Thanks!
February 23rd, 2012 12:09pm

Hi! Have you found a solution to this problem yet. I have the same problem.Peter Kalvik
Free Windows Admin Tool Kit Click here and download it now
March 13th, 2012 11:02am

The AD MA account now has permissions to remove both msExchangeActiveSyncDevices and msExchangeActiveSyncDevice. However we still get "The directory service can perform the requested operation only on a leaf object." error while trying to run an Export that contains delete. Is it possible at all to remove objects that are nested? Seems like this process was thought of while "Provisioning" but not necessarily for De-provisioning
March 13th, 2012 5:18pm

The AD MA account now has permissions to remove both msExchangeActiveSyncDevices and msExchangeActiveSyncDevice. However we still get "The directory service can perform the requested operation only on a leaf object." error while trying to run an Export that contains delete. Is it possible at all to remove objects that are nested? Seems like this process was thought of while "Provisioning" but not necessarily for De-provisioning In essence, FIM talks to AD via LDAP, and AD LDAP does not allow the deletion of any object that has child objects. I suspect you'd have to make FIM aware of the child objects, and to stage deletes on them as well (but this would not be easy or pleasant to do within FIM). Perhaps the FIM product team will update the AD MA to issue user deletions with the LDAP Subtree Delete control, now that we have a profusion of ActiveSync data. A solid workaround would be to have FIM move the object to "OU=Pending Deletion" or the like, and carry out the actual deletion via post-processing script. In fact this would be my preference even if FIM knew how to delete child objects, as inactivating objects and deleting them after 3-6 months is often *much* more practical than immediate deletion. --Steve
Free Windows Admin Tool Kit Click here and download it now
March 14th, 2012 3:42pm

Any updates on this issue? I'm curious if anyone has been able to resolve it or configure a work-around?
July 10th, 2012 12:34pm

If I remember correctly, I think I was told from Microsoft Support that this would be addressed in FIM 2010 R2 (update 1?). As Steve Kradel posted above, that is a possible workaround for this problem. However, I simply chose not to increase the complexity of deprovisioning so I have our Exchange / AD guys manually remove the ActiveSync object / AD Account which makes the error go away since it is the deletion that is causing this problem.
Free Windows Admin Tool Kit Click here and download it now
July 11th, 2012 10:17am

There are several ways to address this using FIM....... -You could create custom workflow activity that deletes the ActiveSync object for target AD user when some attribute in portal, such as status, etc., is flagged -Using the sync engine, you should be able to make another MA that connects to the same AD org and have it process ONLY ActiveSync objects. Perhaps there is attribute in ActiveSync object or one could be created which links it to user object in MV. You could then have this MA be triggered and delete the ActiveSync objects. You would then run the user AD MA afterwords, ensuring that user objects would be deleted after their child objects.
July 11th, 2012 11:35pm

I've had the same problem, and I solved it with custom code that runs a powershell script at a certain point of the object lifecycle. The script looks more or less like this: Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010 Get-ActiveSyncDevice -Mailbox $login -DomainController cerndc20.cern.ch | % { Remove-ActiveSyncDevice $_ -Confirm:$false } Maybe you could create a custom activity that does the same before a object gets deleted. I think that when ActiveSync devices are created, Exchange sets explicitly some permissions on them. I tried assigning the MA account all possible permissions on those objects, but I was still getting permission issues. Cheers, PaoloPaolo Tedesco - http://cern.ch/idm
Free Windows Admin Tool Kit Click here and download it now
July 12th, 2012 3:21am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics