Link to home
Start Free TrialLog in
Avatar of wlasner
wlasnerFlag for United States of America

asked on

How to delete an admin user who is protected from accidental deletion....

Over a year ago we enlisted the services of an outside exchange server tech who created an admin acount for them selves. I need to delete this account from exchange server as well as Active Directory but it is protected from "Accidental Deletion". I cannot find where to remove this option. i moved the user to a different OU which did not help.
Please advise how I can force the deletion of this users from the AD / exchange server.
thank you
Wayne

User generated image
Avatar of Alex
Alex
Flag of United Kingdom of Great Britain and Northern Ireland image
Enable advanced options in DSA.MSC

Right click the user go to properties

Then object

Then untick protect object from accidental deletion



note: you may need to navigate to the ou where the account is.
Avatar of wlasner
wlasner
Flag of United States of America image

ASKER

So, I did this but the box is not selected in AD. the option must be coming from somewhere else.
Avatar of Alex
Alex
Flag of United Kingdom of Great Britain and Northern Ireland image
check it at the OU level, same place and untick it to delete the account, it'll protect it and it's contents.

So untick
Avatar of wlasner
wlasner
Flag of United States of America image

ASKER

same thing.... not protected. This is bizarre.
Avatar of Alex
Alex
Flag of United Kingdom of Great Britain and Northern Ireland image
Check the security of the account, add your username to the security and then delete it that way.

If you still can't delete it i'm guessing they have protected it in the Schema or something.
Avatar of wlasner
wlasner
Flag of United States of America image

ASKER

Not resolved. I'm at a loss here. Appreciate your help. If you think of anything else to try, please let me know.
thanks
wayne
Avatar of Alex
Alex
Flag of United Kingdom of Great Britain and Northern Ireland image
Ok,

Move the account out of that OU into a top level OU and then delete it. You can create a top level OU, move it there, then try to remove it.

Alternatively, you can disable it. Same goal essentially.
Avatar of wlasner
wlasner
Flag of United States of America image

ASKER

No Luck. Is there a command line that could accomplish this?
Avatar of Adam Brown
Adam Brown
Flag of United States of America image
Open the Advanced Features View in AD Users and Computers, find his account, right click > Properties > security tab. There is likely a Deny entry there that you'll need to remove from the list. Worst case, if you can't figure out how to delete the account, disable it to prevent login (I'd recommend doing this while you're working on finding the cause of the delete issue).
Avatar of Sean Bravener
Sean Bravener
how many AD servers do you have?  one thing that will slow this process down is AD propogation. if you have multiple ad sites you will need to let things prop between steps.
Avatar of wlasner
wlasner
Flag of United States of America image

ASKER

We have two DC's on the same network. I'll try again later.... thanks
ASKER CERTIFIED SOLUTION
Avatar of Shaun Vermaak
Shaun Vermaak
Flag of Australia image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of wlasner
wlasner
Flag of United States of America image

ASKER

OK, using adsiedit and adding full control allowed me to delete the user object. thank you.
Avatar of wlasner
wlasner
Flag of United States of America image

ASKER

Thank you all for your assistance.
Wayne