You Cannot Delete an Active Directory Object of Unknown Type

Symptoms

In the Active Directory management snap-ins (Active Directory Users and Computers, Active Directory Sites and Services, and Active Directory Domains and Trusts), you may see an object represented by the default Windows icon, which has a Type designation of Unknown. If you attempt to delete the object, you receive the following error message:

Active Directory

Windows cannot delete object object name because:
The specified directory service attribute or value does not exist.
Or, in ADSIEdit, you may see a leaf object with no data in the Class column. If you attempt to delete the object, you receive the following error message:

adsiedit

The specified directory service attribute or value does not exist.
Or, in the Active Directory Administration Tool (Ldp.exe), you may be able to view the object itself, but you cannot see the attributes of that object. If you attempt to delete the object, you receive the following error message:

Error: Delete: Not allowed on Non-leaf. <66>

Cause

This behavior occurs if the account that you are logged on with has only "list contents" permissions on the parent object. Under this scenario, you are unable to read any attributes of the object, even though you can see the object. This prevents Windows from providing information about the object based on the objectClass attribute, such as the icon attribute. You also do not have permissions to perform any operations on the object, such as a Delete command, that requires access to the objectGUID.

Resolution

If you are a member of the local Administrators group on the domain controller, you may take ownership of the object and then grant yourself whatever access rights that you require. To do this, follow these steps:

  1. Open the Active Directory Users and Computers snap-in.
  2. Navigate to the container in which the object resides.
  3. Right-click the object, and then click Properties.
  4. Click the Security tab.
  5. Click the Advanced button.
  6. Click the Owner tab.
  7. In the Change Owner to dialog box, select the Administrators group or the administrator account that you are currently logged on with, and then click OK.
  8. In the Security dialog box, assign Full Control permissions to the administrator account.

Status

This behavior is by design.
Proprietăți

ID articol: 305104 - Ultima examinare: 30 oct. 2006 - Revizie: 1

Feedback