You may run into this from time to time. You're trying to delete a user account from Active Directory, and a dialog box pops up that says, "You do not have sufficient privileges to delete...". The annoying thing is that you DO have sufficient privileges to perform this action. You're the domain admin, possibly even the enterprise admin. What's going on here?
Well, a quick google of that phrase returns more than a few matches, almost all saying the same thing - the object is protected from accidental deletion, and to turn this off, you have to go to the Object tab and uncheck the box that is labeled, "Protect object from accidental deletion". Simple enough, eh?
But wait. On this particular object, that box isn't checked, yet you still can't delete the account. WTH?
I've encountered this problem more than once, yet it's rare, and it takes me a few minutes to remember why it's doing this, and how to fix it.
The account in question belongs to a former admin, or possibly an Account Operator. The problem is that permissions inheritance is turned off on this account. To understand why, take a look at this article. In a nutshell, "adminCount" is greater than 0 and permissions inheritance is turned off, including the permission you need to delete the account.
The fix is simple. Go to the account's Security tab, click the Advanced button, and then uncheck the box next to "Include inheritable permissions from this object's parent". Now click Apply or OK, close the properties dialog, and try to delete the object again. Voila! The account can now be deleted.
Just a quick side note. Don't wait too long to delete the account, or else permissions inheritance will be automatically disabled again, and you'll have to go through all of this again.
Quick note (2) - this permissions inheritance on new admin accounts will also prevent these users from adding an ActiveSync device to their Exchange mailbox. But only the first one. The problem is that, with permissions inheritance turned off, the user lacks the right to create the "subfolder" on their account where ActiveSync devices are stored. Again, the solution is to re-enable permissions inheritance on the account, then have the user retry adding their ActiveSync device, but do it before inheritance is re-enabled automatically.
Wednesday, May 4, 2016
Friday, January 15, 2016
Azure AD Connect and Deleting a Large Number of On-Premises Users
So, here's a handy URL to bookmark:
https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnectsync-feature-prevent-accidental-deletes/
This is the page that explains how to get Azure AD Connect moving again if it gets stuck due to a large number of on-premises account deletions.
Being in the retail sector, our company hires, and subsequently terminates, a large number of seasonal associates, and this year was no different. This morning, I found several messages in my inbox from the "MSOnlineServicesTeam", stating that...
"the Identity synchronization service detected that the number of deletions exceeded the configured deletion threshold for [company name]. A total of 16402 objects were sent for deletion in this Identity synchronization run. This met or exceeded the configured deletion threshold value of 500 objects.
We need you to provide confirmation that these deletions should be processed before we will proceed."
The accompanying link leads to a site with instructions for disabling the limit for DirSync, but also has the above link for similar instructions for Azure AD Connect users.
First, verify that your pending deletes are not accidental. I checked with our HR department to confirm that they terminated those 16000+ associates yesterday, and then ran the following powershell command from the Azure AD Connect server:
Disable-ADSyncExportDeletionThreshold
Next, either wait for the scheduled synchronization task to run, or kick it off manually. Either way, it's going to take much longer than normal to push all those deletes up to Office 365.
Finally, be sure to re-enable the delete threshold, just to be safe.
Enable-ADSyncExportDeletionThreshold
Thanks to Andreas Kjellman and his team for all the great work they've done on Azure AD Connect.
https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnectsync-feature-prevent-accidental-deletes/
This is the page that explains how to get Azure AD Connect moving again if it gets stuck due to a large number of on-premises account deletions.
Being in the retail sector, our company hires, and subsequently terminates, a large number of seasonal associates, and this year was no different. This morning, I found several messages in my inbox from the "MSOnlineServicesTeam", stating that...
"the Identity synchronization service detected that the number of deletions exceeded the configured deletion threshold for [company name]. A total of 16402 objects were sent for deletion in this Identity synchronization run. This met or exceeded the configured deletion threshold value of 500 objects.
We need you to provide confirmation that these deletions should be processed before we will proceed."
The accompanying link leads to a site with instructions for disabling the limit for DirSync, but also has the above link for similar instructions for Azure AD Connect users.
First, verify that your pending deletes are not accidental. I checked with our HR department to confirm that they terminated those 16000+ associates yesterday, and then ran the following powershell command from the Azure AD Connect server:
Disable-ADSyncExportDeletionThreshold
Next, either wait for the scheduled synchronization task to run, or kick it off manually. Either way, it's going to take much longer than normal to push all those deletes up to Office 365.
Finally, be sure to re-enable the delete threshold, just to be safe.
Enable-ADSyncExportDeletionThreshold
Thanks to Andreas Kjellman and his team for all the great work they've done on Azure AD Connect.
Subscribe to:
Posts (Atom)