0 votes

Hello,

we cannot delete users with adminCount=1 with the buildin action "Delete the user" because of missing (adminSDHolder)permission to delete users as subtree.

How can I remove a user with Powershell? Code below deletes a user in the Adaxes domain but run in error for other connected domains.

$identity = "%distinguishedName%"
Remove-AdmUser -Identity $identity -Confirm:$False

regards Helmut

by (1.5k points)
0

Hello Helmut,

we cannot delete users with adminCount=1 with the buildin action "Delete the user" because of missing (adminSDHolder)permission to delete users as subtree

What exactly do you mean? Could you, please, post here or send us (support[at]adaxes.com) a screenshot of the error message?

Code below deletes a user in the Adaxes domain but run in error for other connected domains.

Do we understand correctly that you have multiple AD domains registered in Adaxes and the provided code only works for users in the domain of the Adaxes service account (specified during the software installation) and fails for users in other domains?

Any additional information regarding the issue will be much appreciated.

0

Hello,

thanks for the reply. In the meanwhile I found a code snipped

$Context.TargetObject.DeleteObject("ADM_DELETEOBJECTFLAGS_AUTO")

that worked in all registed domains.

regards Helmut

1 Answer

0 votes
by (189k points)

Hello Helmut,

Thank you for specifying. However, we would recommend you to make sure that accounts used to register your domains in Adaxes have all the necessary permissions in the corresponding domains including Delete Subtree. By permissions here we mean native Active Directory permissions, not the ones granted by Adaxes Security Roles. For information on how to check/change the credential of a domain account, have a look at the following help article: https://www.adaxes.com/help/?HowDoI.ManageActiveDirectory.ManageDomains.ChangeManagedDomainLogonInfo.html.

0

Hello

for normal user accounts - no problem. For users with adminCount=1

  • Security inheritance is disabled
  • The ACL on the user/group is replaced with the ACL from the AdminSDHolder object in the System container in AD (a smaller, much more restrictive ACL)
  • The adminCount attribute on the user/group is set to 1

https://specopssoft.com/blog/troubleshooting-user-account-permissions-adminsdholder/

Strategies here, from most to least recommended:

  • Remove the user accounts or groups from the protected groups. Create separate dedicated admin accounts for users’ privileged access and excluding those admin accounts from self-service reset. Then clean up the original affected user accounts (this is what we recommend)
  • Exclude certain groups (e.g. Account Operators) from AdminSDHolder using dsHeuristics, then proceed with user account cleanup.
  • Grant the Adaxes service account permissions on all accounts affected by AdminSDHolder by updating the ACL on the AdminSDHolder object in AD. With this scenario there is no need for manual cleanup, however you now run the risk of having a service account with permissions to manipulate all of your Domain Admin and other high privilege accounts. This is NOT recommended.

Because owner of some domains still our customers, changes are not as easy as described in some MS articles.

regards Helmut

0

Hello Helmut,

for normal user accounts - no problem. For users with adminCount=1

Sorry for the confusion, but we are not sure what exactly the issue is at the moment. Do you still face error messages when deleting user accounts? If that is correct, please, post here or send us (support[at]adaxes.com) a screenshot of the error message and specify how exactly you attempt to delete users.

Grant the Adaxes service account permissions on all accounts affected by AdminSDHolder

It is not required and moreover will not work as all Ad related operations in a managed domain are performed with the credential of the account used to register the domain in Adaxes. The Adaxes service account (specified during Adaxes installation) is not used.

Related questions

0 votes
1 answer

I had a business rules that had a PowerShell script to update User properties in a SQL table. It was working fine. I moved the PowerShell to a custom command so I could ... in the custom command does get the values for the User object. Am I missing something?

asked Jun 2, 2014 by sdavidson (5.1k points)
0 votes
1 answer

Hello, I'd like setup a new custom command on the Administrator dashboard that would run the following tasks against a disabled user account simultaneously. Enable their account ... the email when using the %unicodePwd% value. Is there a workaround for this?

asked Apr 23 by sirslimjim (2.1k points)
0 votes
1 answer

Is it possible to reset a password and force the user to change password at next login within the same action of a custom command? When they are split out into ... like to request this functionality be added to the reset password action in the future.

asked Mar 20 by yourpp (2.5k points)
0 votes
1 answer

We have several scripts that use the following action: $commandID = "{b4b66610-be71-403a-a6b7-8bcf51d200ef}" $user.executecustomCommand($commandID) is there syntax that allows ... is there another way to pass parameters to a custom command through scripting?

asked Jul 11, 2019 by ggallaway (1.2k points)
0 votes
1 answer

We're using a powershell command to delete computer accounts from the domain. This works fine but even though it works, on refresh, the page shows ... ) Remove-AdmComputer -Identity "%cn%" -server $domainName -AdaxesService localhost -Confirm:$False

asked Feb 2, 2018 by VTPatsFan (3.7k points)
2,352 questions
2,107 answers
5,746 comments
132,660 users