Friday, December 9, 2011

Active Directory Leaf Object: Confirm Subtree Deletion?

I was working in an Active Directory forest at one time removing a user object and I found myself surprised when I saw the following prompt. I was perplexed because user objects (and most of the other objects besides the Organaizational Unit that can be created through the Active Directory Users and Computers snap-in) are typically leaf nodes in Active Directory.

"Object %s contains other objects. Are you sure you want to delete object %s and all of the objects it contains? If you cancel the running deletion, the objects deleted thus far will not be recovered. Warning: If you select Use Delete Subtree server control checkbox, all objects within the subtree, including all delete-protected objects, will be deleted, and the deletion cannot be canceled"



When I explored this further, I identified that the object created below the user object was related to a fingerprint reader used in this particular company. I will show three ways to explore these objects since they do not show up in the default view of Active Directory Users and Computers.

To start this scenario, I used ADSI Edit and added a node under my user object in a test domain.

Active Directory Users and Computers

Many Active Directory Administrators spend lots of time with this tool and it is one that typically has a few unexplored features. One of the features that is not often used is the "Users, Contacts, Groups, and Computers as containers" view option.



This allows the children of these objects to be viewed by expanding the tree in the left pane.



ADSI Edit

ADSI Edit, with it's default view options can be used to explore these elements. By default, you can connect to the default naming context for the domain and navigate to the user object,


LDP

LDP is a useful tool for developing LDAP queries and finding lists of objects that conform to a specific set of parameters, such as department name or job title. The dsquery tool could also be used for this, but LDP is sometimes the better tool because it does not have the constraint of the fixed width of PowerShell or the command shell (cmd.exe). The only catch to using LDP is identifying the base distinguished name to search from. In this case, it is

cn=mike burr,cn=Users,dc=ad,dc=mikesblog,dc=lan

To find the child objects under this dn, use a generic filter, such as (cn=*).


The resulting object is printed with the attributes identified in the search box.




Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)