2

I am pretty green at Powershell and if this is simple, I apologize. I have tried to use this example script from user Nick, and run into an error I thought AdObject was supposed to go around. My Script 

Import-Module ActiveDirectory

$list = Import-CSV C:\scripts\deletebulkusers.csv

forEach ($item in $list) {
    $samAccountName = $item.samAccountName

    #Get DistinguishedName from SamAccountName
    $DN = Get-ADuser -Identity $Samaccountname -Properties DistinguishedName |
        Select-Object -ExpandProperty DistinguishedName

    #Remove object using DN
    Remove-ADObject -Identity $DN
}

I have posted my error below:

Remove-ADObject : The directory service can perform the requested operation only on a leaf object
At line:13 char:5
+     Remove-ADObject -Identity $DN -confirm:$false
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (CN=<user>,DC=com:ADObject) [Remove-ADObject], ADException
    + FullyQualifiedErrorId : ActiveDirectoryServer:8213,Microsoft.ActiveDirectory.Management.Commands.RemoveADObject
jodokast89
  • 55
  • 9
  • `-confirm:$false` looks syntactically wrong. `-confirm $false` looks better. If you remove this parameter completely, is it working fine? – G42 Jun 28 '17 at 14:53
  • If I remove it completely, I still have the same error. – jodokast89 Jun 28 '17 at 14:58

3 Answers3

2

The error suggests that the object you're trying to remove is a container. I suspect you may be proving the cmdlet the container of the object you want to remove rather than the object itself.

I think you can simplify the situation by using the pipeline:

Get-ADuser -Identity $Samaccountname | Remove-ADObject -WhatIf

Remove the -WhatIf parameter if it looks like it's going to do what you expect.

Mark Wragg
  • 22,105
  • 7
  • 39
  • 68
  • I tried this, however I get the same error. I am only trying to delete a batch of users, all of them have email accounts, which I am assuming is where the issue is. The script will delete users without email, but not users with email. – jodokast89 Jun 28 '17 at 15:23
  • It seems you need to disable their mailbox first. If you're using Exchange 2016 there's also `Remove-Mailbox` that will seemingly remove both mailbox and user account objects. – Mark Wragg Jun 28 '17 at 15:26
2

Glad I could help :) I've had this happen to me before, specifically if the user has Outlook on their phone it turns them into a container. If you open Active Directory Users and Computers, select "View", and check the option for "View Users, Contacts, Groups and Computers as containers" the navigate to the object, you will see that there are items inside of it.

Using the -recurse parameter with Remove-ADObject is what fixed it for me.

Nick
  • 1,178
  • 3
  • 24
  • 36
  • Is there a risk that this will leave the mailbox orphaned and difficult to remove? – Mark Wragg Jun 28 '17 at 15:28
  • 1
    Not in my experience, although I can't say for certain. I've been running a script with this parameter daily for the past two years with no ill effects, however I'd imagine that may vary based upon the environment... it's only recursively removing ExchangeActiveSync devices in my environment. – Nick Jun 28 '17 at 15:30
  • 1
    The -Recursive cmdlet fixed my issue, along with @Mark-Wragg simplification of the script. Thanks so much to both of you!! – jodokast89 Jun 28 '17 at 15:34
  • Also, with the -Recursive line, it marked the email accounts for deletion. Perfect! – jodokast89 Jun 28 '17 at 15:43
2

Here is what my end script looked like. Both Nick and Mark Wragg's answers fixed my issue. Thanks guys!!

 Import-Module ActiveDirectory

$list = Import-CSV C:\scripts\deletebulkusers.csv

forEach ($item in $list) {
    $samAccountName = $item.samAccountName

    $DN = Get-ADuser -Identity $Samaccountname | Remove-ADObject -Recursive 
}
jodokast89
  • 55
  • 9