FIM 2010 R2 - It is not possible to delete a user (Error: permission-issue, Error code: 5, Access denied) (Network Steve Forum)

FIM 2010 R2 - It is not possible to delete a user (Error: permission-issue, Error code: 5, Access denied)

We have several domains to manage for our customers, so we have installed "FIM 2010 R2" to manage our admin-accounts. But if I now try to delete a user, by deletion from the "User Set", I get this error (please note the screenshot) after synchronization.

Error
Running management agent:	AD MA xyz
Error:	Permission-issue
Latest occurrence:	07.05.2015 15:30:06
Initial occurrence:	07.05.2015 11:07:22
Retry count:	15
Connected data source error code:	5
Connected data source error :	Access is denied.

I don't get more information about this error, not in the eventvwr and also not in the FIM-Panel even.

Maybe someone knows more about this issue I would be very thankful for helping to solve this problem.

If more information is needed let me know what kind of.

Thank you

May 7th, 2015 10:32am

This means that the account that AD MA runs under, does not have the right to delete this object. The ad admin account may have extra security.

Free Windows Admin Tool Kit Click here and download it now

May 7th, 2015 10:53am

Hi,

This is clearly a privilege issue for Active Directory Management Agent Account.

What ever Account you are using into your ADMA should have equivalent or higher privileges into Active Directory then the Accounts you are trying to delete.

May 8th, 2015 6:54am

Hi,

I have the same problem as mala1988, when trying to delete an AD admin-account via FIM Active Directory Management Agent. (Error: Permission-issue / Access is denied.)

But I have no problems to delete the user manually via AD GUI with the same UserID as the FIM AD-MA is configured.

I'm using the newest FIM Version 4.1.3646.0

Free Windows Admin Tool Kit Click here and download it now

August 17th, 2015 3:33am

The AD MA is attempting a delete sub-tree rather than deleting the single object which the Active Directory Users & Computers will do.

Check the account configured in the AD MA has the delete sub-tree permission on the user.

August 24th, 2015 6:10am

The account configured in the AD MA is domain admin.

The account I'm attempting to delete has no subtree.

Free Windows Admin Tool Kit Click here and download it now

August 24th, 2015 11:13am

The issue is with the account being deleted. These accounts are protected from being accidentally deleted. As it stands, you will not be able to delete it via FIM.

August 24th, 2015 11:15am

Ok, probably a different problem if it is a domain admin with permissions to delete.

Even if a the user object doesn't have any children FIM will still do a delete subtree. It is for cases where there are ActiveSync objects under the user etc.

Free Windows Admin Tool Kit Click here and download it now

August 24th, 2015 11:16am

Additionaly, I'd suggest looking for value of AdminCount attribute of affected account, as it might be the case.

Edited by Vladimir Zanadvorov 23 hours 6 minutes ago

August 26th, 2015 4:17am

I changed the AdminCount attribute value from 1 to 0 but I am still not able to delete the AD Admin Account with FIM.

Is it true, that I'm not able to delete a AD Admin Account through the standard AD MA with FIM?

(the account configured in the AD MA is a Domain Admin Account)

Edited by fairtec 22 hours 10 minutes ago

Free Windows Admin Tool Kit Click here and download it now

August 26th, 2015 5:06am

Additionaly, I'd suggest looking for value of AdminCount attribute of affected account, as it might be the case.

Edited by Vladimir Zanadvorov Wednesday, August 26, 2015 8:17 AM

August 26th, 2015 8:16am

Additionaly, I'd suggest looking for value of AdminCount attribute of affected account, as it might be the case.

Edited by Vladimir Zanadvorov Wednesday, August 26, 2015 8:17 AM

Free Windows Admin Tool Kit Click here and download it now

August 26th, 2015 8:16am

I changed the AdminCount attribute value from 1 to 0 but I am still not able to delete the AD Admin Account with FIM.

Is it true, that I'm not able to delete a AD Admin Account through the standard AD MA with FIM?

(the account configured in the AD MA is a Domain Admin Account)

Edited by fairtec Wednesday, August 26, 2015 9:13 AM

August 26th, 2015 9:05am

I changed the AdminCount attribute value from 1 to 0 but I am still not able to delete the AD Admin Account with FIM.

Is it true, that I'm not able to delete a AD Admin Account through the standard AD MA with FIM?

(the account configured in the AD MA is a Domain Admin Account)

Edited by fairtec Wednesday, August 26, 2015 9:13 AM

Free Windows Admin Tool Kit Click here and download it now

August 26th, 2015 9:05am

I just ran into this as well. Marc Hancock suggestion was the one that did it for me: make sure Delete Subtree permissions are granted to the AD MA account.

I've always used the approach where the AD MA account has Create Child, Delete Child (user) permissions. But somehow this isn't enough. A move works, but a delete doesn't... Not sure if FIM 2010 behaves differently than FIM 2010 R2.

That's how Paul Williams describes it as well: http://blog.msresource.net/2011/12/07/delegating-the-minimum-set-of-permissions-for-user-provisioning/

But for deleting a user this seems to be insufficient. After granting Delete Subtree, FIM is now able to delete the user. Here's how I did this using dsacls.

dsacls "OU=Disabled Users,DC=Contoso,DC=com" /I:S /G CONTOSO\UserAdmins:SDDT;;user

September 9th, 2015 8:49am

This topic is archived. No further replies will be accepted.