North East Bytes - a Microsoft technology usergroup in North East England.

Powered by Squarespace

« Hogwarts School of Witchcraft and Wizardry | Main | R.I.P. Google Reader »
Friday
Mar222013

Deleting AD Users with PowerShell - Why is a user not a leaf object?

I've been re-writing some automated processes around user account lifecycle recently, making use of the Active Directory PowerShell module on Windows Server 2012. Most recently this involved removing a large number of expired user accounts. On the first attempt of trying to remove the user objects I was receiving this error for a number of them, seemingly at random:

Remove-ADObject : The directory service can perform the requested operation only on a leaf object

So why would a user object in AD not be a leaf object? It turns out that when a user connects a device to Exchange with EAS, there's an AD object created for that device inside the user object and that is what is stopping the user being a leaf object.

You might search for this and find advice on using Remove-ActiveSyncDevice before you remove the user. The trouble with that is that if you've got multiple versions of Exchange running in your org, then you might find that you can't remove the ActiveSyncDevice for all your users with the same method.

It doesn't matter anyway because the point is that the user isn't a leaf; it's a container that now has child objects, so what do you need to do to delete a container? Simply do a recursive remove. In the case of what I've been doing, this does the job:

$30daysago = (get-date).AddDays(-30)
Get-ADUser -filter {accountexpirationdate -lt $30daysago} | Remove-ADObject -Recursive

PrintView Printer Friendly Version

EmailEmail Article to Friend

References (3)

References allow you to track sources for this article, as well as articles that were written in response to this article.
  • Response
    Deleting AD Users with PowerShell - Why is a user not a leaf object? - Blog - jonoble.com
  • Response
    Deleting AD Users with PowerShell - Why is a user not a leaf object? - Blog - jonoble.com
  • Response
    Response: NMjWaUdt
    Deleting AD Users with PowerShell - Why is a user not a leaf object? - Blog - jonoble.com

Reader Comments (2)

User objects are always container type objects, they just don't always contain other objects. :)

March 22, 2013 | Unregistered Commenterjoe

Thanks Joe, I've edited the post to make it clearer. They are always containers, but they are often empty.

March 22, 2013 | Registered Commenterjonoble
Comments for this entry have been disabled. Additional comments may not be added to this entry at this time.