Link to home
Create AccountLog in
Active Directory

Active Directory

--

Questions

--

Followers

Top Experts

Avatar of colonialiu20
colonialiu20🇺🇸

remove ad accounts with powershell error
The below command searches my active directory for accounts that have been expired for more than 30 days and deletes them.  While running the below command, i get the below error.  The only thing that is different about these users is that they had iphones associated to their exchange account at some point.  How can i modify my command to remove the account.  If i try to delete the account in ADUC, i get the following error in the screenUser generated image
If i click yes, the delete is successful.  How can i get the delete to work in powershell?

Search-ADAccount -AccountExpired -UsersOnly | Where { $_.AccountExpirationDate -lt (
Get-Date).AddDays(-30) } | Remove-ADUser


heres the error message i get
Remove-ADUser : The directory service can perform the requested operation only on a leaf object
At line:1 char:125
+ Search-ADAccount -AccountExpired -UsersOnly | Where { $_.AccountExpirationDate -lt (Get-Date).AddDays(-30) } | Remove
-ADUser <<<<
    + CategoryInfo          : NotSpecified: (CN=Doe\, John...DC=contoso,DC=org:ADUser) [Remove-ADUser], ADException
    + FullyQualifiedErrorId : The directory service can perform the requested operation only on a leaf object,Microsof
   t.ActiveDirectory.Management.Commands.RemoveADUser

Zero AI Policy

We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.

Avatar of Manpreet SIngh KhatraManpreet SIngh Khatra🇮🇳

If so you have to remove active sync partnership before this and also if you can get a command like below and just get the info of accounts you should disable for ActiveSync

Search-ADAccount -AccountExpired -UsersOnly | Where { $_.AccountExpirationDate -lt (
Get-Date).AddDays(-30) }

Remove-ActiveSyncDevice "UserName"

- Rancy
Avatar of colonialiu20colonialiu20🇺🇸

ASKER

Rancy,

Im looking fo a way to put this into a script so the process happens automatically.  Your suggestion requires a manual step of running Remove-ActiveSyncDevice "UserName"
Avatar of Manpreet SIngh KhatraManpreet SIngh Khatra🇮🇳

Sir to be true i am not a scripter but yes if you can have something like this and works then you next command will be what you have

Search-ADAccount -AccountExpired -UsersOnly | Where { $_.AccountExpirationDate -lt (
Get-Date).AddDays(-30) } | Remove-ActiveSyncDevice

- Rancy
Reward 1Reward 2Reward 3Reward 4Reward 5Reward 6

EARN REWARDS FOR ASKING, ANSWERING, AND MORE.

Earn free swag for participating on the platform.

Avatar of colonialiu20colonialiu20🇺🇸

ASKER

Remove-ActiveSyncDevice is not  valid command
SOLUTION
Avatar of netballinetballi🇬🇧

Link to home
membership
Log in or create a free account to see answer.
Signing up is free and takes 30 seconds. No credit card required.
Create Account
Avatar of colonialiu20colonialiu20🇺🇸

ASKER

Netballi,

Can I add something to your script to delete the mailbox as well?
Avatar of colonialiu20colonialiu20🇺🇸

ASKER

when i try to run netballi's command, i get the following error.  I cant figure out what is wrong.


Cannot process argument transformation on parameter 'Mailbox'. Cannot convert the "CN=Doe\, John,OU=sped redirects,OU
=Special ED,OU=Central Office,OU=NewAD,DC=contoso,DC=org" value of type "Deserialized.Microsoft.ActiveDirectory.Managemen
t.ADAccount" to type "Microsoft.Exchange.Configuration.Tasks.MailboxIdParameter".
    + CategoryInfo          : InvalidData: (:) [Get-ActiveSyncDeviceStatistics], ParameterBindin...mationException
    + FullyQualifiedErrorId : ParameterArgumentTransformationError,Get-ActiveSyncDeviceStatistics
Free T-shirt

Get a FREE t-shirt when you ask your first question.

We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.

ASKER CERTIFIED SOLUTION
Avatar of pgm554pgm554🇺🇸

Link to home
membership
Log in or create a free account to see answer.
Signing up is free and takes 30 seconds. No credit card required.
Create Account
Active Directory

Active Directory

--

Questions

--

Followers

Top Experts

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.