0 votes

Hi,

Since I upraded my Adaxes services to 2014.1, my custom command used to delete user (after deprovision) fail.

Please find below the error from event log after running Custom commant with the Adaxes service account (with full rights) or other admin accounts.

Softerra.Adaxes.CommandPipeline.CommandProcessingException: The following command threw an exception while being executed: Delete 'CHAUMONT, Helene (eu.loi.net\EU01-France\Locations\Manosque\Users)'. ---> Softerra.Adaxes.Adsi.DirectoryComException (0x80070005): Access is denied. (Server: eu.loi.net) ---> System.DirectoryServices.Protocols.DirectoryOperationException: The user has insufficient access rights.
at #F.#eq.SendDirectoryRequest(ILdapConnection connection, DirectoryRequest request, ReferralChasingOptions referralChasing, TimeSpan clientTimeout, IDirectoryRequestErrorHandler errorHandler)
at #F.#eq.SendDirectoryRequest(NtdsDirectoryIdentifier directoryId, ADS_AUTHENTICATION_ENUM authOptions, DirectoryRequest request, ReferralChasingOptions referralChasing, TimeSpan clientTimeout, IDirectoryRequestErrorHandler errorHandler)
at #F.#eq.SendDirectoryRequest(NtdsDirectoryIdentifier directoryId, ADS_AUTHENTICATION_ENUM authOptions, DirectoryRequest request, ReferralChasingOptions referralChasing, TimeSpan clientTimeout, IDirectoryRequestErrorHandler errorHandler)
at Softerra.Adaxes.Adsi.AdmObject.SendDirectoryRequest(DirectoryRequest request, ReferralChasingOptions referralChasing)
at Softerra.Adaxes.Adsi.AdmObject.DeleteEntry(Boolean deleteSubtree)
at Softerra.Adaxes.CommandPipeline.Actions.DeleteObjectAction.ExecuteAction(IAdmTop targetObject)
at Softerra.Adaxes.CommandPipeline.Actions.ActionBase.Execute(IAdmTop targetObjectArg)
at Softerra.Adaxes.CommandPipeline.Actions.ActionBase.Execute(ICommand command)
--- End of inner exception stack trace ---

thans in advance for your help
Regards

by (740 points)
0

Hello,

How do you delete the user? Do you use the default Business Rule action or in a PowerShell script, for example? Can you send us or post here a screenshot of your Business Rule?

0

Hi,

I'm using the built in action "Delete the user". The action is launched by a Scheduled Task.

I just tried to do the same with a powershell script (executed by the service account) and it works well.

https://drive.google.com/file/d/0B7-4lG ... sp=sharing
https://drive.google.com/file/d/0B7-4lG ... sp=sharing

Regards

1 Answer

0 votes
by (216k points)

The thing is that there are three modes of deleting objects in Active Directory:

  • delete as a leaf,
  • delete as subtree,
  • automatic mode, where Active Directory first tries to delete an object as a leaf, and then as a subtree.

For more information, you can, for example, take a look at the following article in our SDK: http://www.adaxes.com/sdk/?ADM_DELETEOB ... _ENUM.html.

Since user accounts can have child objects, Adaxes always attempts to delete users as a subtree, while in your script, you are most probably deleting the user as a leaf or using the automatic mode, and deleting the user as a leaf succeeds.

Since deleting as a leaf and deleting as a subtree are considered to be different operations, different permissions are required in AD for these operations. Most probably, the account that you used to register the domain in Adaxes is granted the permission to delete the user as a leaf, but not as a subtree. To remedy the issue, try granting the account appropriate permissions to delete users as subtree in Active Directory.

0

Hi,

We have the same issue with deleting a user from Adaxes schedule task.
The Adaxes Service user has fully domain admin rights and is also a member of the AD security group "Domain Admins".

I checked the rights from the group "Domain Users" under the tab "Security". (see attachement)

Can you tell me, what I have to do, to solve this issue? Thank you :)

0

Hello,

Have a look at Adaxes General Log and Adaxes Event Log for any errors and/or warnings that may be related to the issue. Could you show us the exact errors and/or warnings that you receive. You can post the errors/warnings in this post or send them to our support e-mail (support[at]adaxes.com).

For information on how to access the logs, see the following help articles: View General Log, Service Event Log.

0

Hello,
I got the following error in Eventlogs:
Softerra.Adaxes.CommandPipeline.CommandProcessingException: The following command threw an exception while being executed: Delete 'xxxxx Ruedi (domainx.ch\Urlaub)'. ---> Softerra.Adaxes.Adsi.DirectoryComException (0x80070005): Access is denied. (Server: domainx.ch) ---> System.DirectoryServices.Protocols.DirectoryOperationException: The user has insufficient access rights.
at #F.#eq.SendDirectoryRequest(ILdapConnection connection, DirectoryRequest request, ReferralChasingOptions referralChasing, TimeSpan clientTimeout, IDirectoryRequestErrorHandler errorHandler)
at #F.#eq.SendDirectoryRequest(NtdsDirectoryIdentifier directoryId, ADS_AUTHENTICATION_ENUM authOptions, DirectoryRequest request, ReferralChasingOptions referralChasing, TimeSpan clientTimeout, IDirectoryRequestErrorHandler errorHandler)
at #F.#eq.SendDirectoryRequest(NtdsDirectoryIdentifier directoryId, ADS_AUTHENTICATION_ENUM authOptions, DirectoryRequest request, ReferralChasingOptions referralChasing, TimeSpan clientTimeout, IDirectoryRequestErrorHandler errorHandler)
at Softerra.Adaxes.Adsi.AdmObject.SendDirectoryRequest(DirectoryRequest request, ReferralChasingOptions referralChasing)
at Softerra.Adaxes.Adsi.AdmObject.DeleteEntry(Boolean deleteSubtree)
at Softerra.Adaxes.CommandPipeline.Actions.DeleteObjectAction.ExecuteAction(IAdmTop targetObject)
at Softerra.Adaxes.CommandPipeline.Actions.ActionBase.Execute(IAdmTop targetObjectArg)
at Softerra.Adaxes.CommandPipeline.Actions.ActionBase.Execute(ICommand command)
--- End of inner exception stack trace ---

0

Nevertheless, the issue seems to be in permissions :)

You showed us a screenshot of permissions for Domain Users. However, the permissions shown on the screenshot are effective for the Domain Users group object itself, and not for members of the group.


Also, to perform operations in a domain, Adaxes uses the credentials of the administrative user account for the domain. This is not necessarily the account of Adaxes default service administrator. To check which account is used to perform operations in a domain:

  1. Launch Adaxes Administration Console.
  2. Expand the service node that represents your Adaxes service.
  3. Expand the Active Directory node.
  4. Navigate to your AD domain and right-click it.
  5. Click Change Logon Information.

    The account that is used to perform operations in the domain will be displayed in the dialog box that appears.

So, we suggest checking whether the administrative account configured for the user's domain has sufficient permissions to delete the user. To do a quick test, you can try logging in as the administrative account configure for the domain and try deleting the same user using ADUC.

0

Thank you! Change of the Logon-Information to another User with Domain-Admin rights, worked! :)

Related questions

0 votes
1 answer

Hello, I would like to ensure that before a computer object is moved in Adaxes, the user must enter a ticket number, and after the input, the PC is moved to ... prompts the user to enter a ticket number before the move/delete operation? Kind regards, Fabian

asked Mar 20 by fabian.p (150 points)
0 votes
1 answer

Hi We have a couple of scheduled tasks set up to remove accounts which have been disabled for a perios of time. This works fine for normal user accounts, but we ... and former domain admin accounts? We're running the latest version of Adaxes Thanks Matt

asked Oct 26, 2022 by chappers77 (2.0k points)
0 votes
1 answer

Hello, we cannot delete users with adminCount=1 with the buildin action "Delete the user" because of missing (adminSDHolder)permission to delete users as ... $identity = "%distinguishedName%" Remove-AdmUser -Identity $identity -Confirm:$False regards Helmut

asked Nov 17, 2020 by a423385 (510 points)
0 votes
1 answer

Hello, you wrote "To remedy the issue, try granting the account appropriate permissions to delete users as subtree in Active Directory." How can I add the permission within ... in AD. Only the to be deleted user object should be affected. regards Helmut

asked Nov 12, 2020 by a423385 (510 points)
0 votes
1 answer

Hello Community, we want to allow every IT-Coordinator do disable Users. Our Process is as followed: the manager of the OU can mark a user to be disabled by a specific date! ... this possible in such a way? or is there another way to schedule a task for later?

asked Sep 25, 2020 by m_st (200 points)
3,326 questions
3,026 answers
7,727 comments
544,678 users