You Do Not Have Sufficient Privileges To Delete a User

You may run into this from time to time. You're trying to delete a user account from Active Directory, and a dialog box pops up that says, "You do not have sufficient privileges to delete...". The annoying thing is that you DO have sufficient privileges to perform this action. You're the domain admin, possibly even the enterprise admin. What's going on here?

Well, a quick google of that phrase returns more than a few matches, almost all saying the same thing - the object is protected from accidental deletion, and to turn this off, you have to go to the Object tab and uncheck the box that is labeled, "Protect object from accidental deletion". Simple enough, eh?

But wait. On this particular object, that box isn't checked, yet you still can't delete the account. WTH?

I've encountered this problem more than once, yet it's rare, and it takes me a few minutes to remember why it's doing this, and how to fix it.

The account in question belongs to a former admin, or possibly an Account Operator. The problem is that permissions inheritance is turned off on this account. To understand why, take a look at this article. In a nutshell, "adminCount" is greater than 0 and permissions inheritance is turned off, including the permission you need to delete the account.

The fix is simple. Go to the account's Security tab, click the Advanced button, and then uncheck the box next to "Include inheritable permissions from this object's parent". Now click Apply or OK, close the properties dialog, and try to delete the object again. Voila! The account can now be deleted.

Just a quick side note. Don't wait too long to delete the account, or else permissions inheritance will be automatically disabled again, and you'll have to go through all of this again.

Quick note (2) - this permissions inheritance on new admin accounts will also prevent these users from adding an ActiveSync device to their Exchange mailbox. But only the first one. The problem is that, with permissions inheritance turned off, the user lacks the right to create the "subfolder" on their account where ActiveSync devices are stored. Again, the solution is to re-enable permissions inheritance on the account, then have the user retry adding their ActiveSync device, but do it before inheritance is re-enabled automatically.