Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

AD Remove Account Delete Sub Tree Option

tbonnesen
New Contributor II
New Contributor II

‎05/11/2022 02:16 PM

Hello,

I am noticing an issue when the Remove Account task runs to delete an Active Directory account that there is an error message that states the follow:

2022-04-28 15:40:38,154 [quartzScheduler_Worker-2] DEBUG ldap.SaviyntGroovyLdapService  - enforceTreeDeletion:

2022-04-28 15:40:38,454 [quartzScheduler_Worker-2] DEBUG ldap.SaviyntGroovyLdapService  - Cannot delete object as object contains child objects also:

javax.naming.ContextNotEmptyException: [LDAP: error code 66 - 00002015: UpdErr: DSID-031A12B0, problem 6003 (CANT_ON_NON_LEAF), data 0

 

Is there a way to specify deletesubtree/enforceTreeDeletion in the REMOVEACCOUNTACTION on the AD connector?

1 person had this problem.
Labels:
0 Kudos
7 REPLIES 7

sahajranajee
Saviynt Employee
Saviynt Employee

‎05/12/2022 02:04 AM

Hi Team,

If you are using the Active Directory Connector, we have the parameter 'ENFORCE_TREE_DELETION' on the AD Connector :

sahajranajee_1-1652346109091.png

By default it is FALSE, please set it to TRUE and try provisioning again.

 

 

 


Regards,
Sahaj Ranajee
Sr. Product Specialist

tbonnesen
New Contributor II
New Contributor II

‎05/12/2022 08:38 AM

Thank you for the information. I set the ENFORCE_TREE_DELETION to TRUE and re-ran the task. The child object was deleted but still fails to delete the account with the error message:

DEBUG ldap.SaviyntGroovyLdapService - Cannot delete object as object contains child objects also:
javax.naming.ContextNotEmptyException: [LDAP: error code 66 - 00002015: UpdErr: DSID-031A12B0, problem 6003 (CANT_ON_NON_LEAF), data 0

Is there another way to force the deletion?

0 Kudos

sahajranajee
Saviynt Employee
Saviynt Employee
In response to tbonnesen

‎05/12/2022 08:54 PM

Hello,

Since the leaf objects are now deleted, does rerunning the provisioning still give the same provisioning response?


Regards,
Sahaj Ranajee
Sr. Product Specialist
0 Kudos

tbonnesen
New Contributor II
New Contributor II

‎05/13/2022 06:16 AM

Yes, I have tried running the task two more times after the original child object was deleted and it still gives the same error message in the logs. Is there a way to tell AD to delete despite this message?

0 Kudos

sahajranajee
Saviynt Employee
Saviynt Employee

‎05/15/2022 11:07 PM

That is not expected. Are you looking at the error message from the Provisioning comments on the task or from the logs?


Regards,
Sahaj Ranajee
Sr. Product Specialist
0 Kudos

tbonnesen
New Contributor II
New Contributor II

‎05/17/2022 12:46 PM

I am able to see the error message in the logs and then also verify in Active Directory that the account was not deleted. Is there any other configurations that need to be made to allow the deletion to go through?

0 Kudos

sahajranajee
Saviynt Employee
Saviynt Employee
In response to tbonnesen

‎05/18/2022 05:57 AM

Hello,

This seems odd as if the child object gets deleted, the intended object should also get deleted in the next provisioning run. Could you please raise a Freshdesk support ticket with Saviynt Support and work with the Ops team to get the issue triaged?

 


Regards,
Sahaj Ranajee
Sr. Product Specialist
0 Kudos
Copyright © 2024 Khoros, LLC