Hi,
When deleting some computers from AD using dsDeleteObj it will fail.
Deleting from AD Users and Computers pops up a 'Use Delete Subtree server control?'
These computers seem to have a bitlocker key or other attachment.
The dsisContainer also comes back true for these...
Found this explanation:
On the other hand, to delete a container and its children, the tree-delete LDAP control has to be used. If you were to do the deletion from an LDAP-based tool like LDP, you would first need to enable the "Subtree Delete" control, which has an OID of 1.2.840.113556.1.4.805.
So is this possible with using the ADSI Extender?
You will likely need to roll your own delete-tree functionality using the extender. It might involve recursive calls to dsGetChldPath and with dsDleteObj. I think there is an example somewhere but cannot recall where.
OK, thanks... I also found an example from here: https://ldapwiki.com/wiki/Wiki.jsp?page=Subtree%20Delete%20Control
...but don't know if ADSI will support?
The following example shows the use of this control to delete the ou=People,dc=example,dc=com subtree.
ldapdelete -p 1389 -h localhost -D "cn=directory manager" -w password -J 1.2.840.113556.1.4.805
ou=People,dc=example,dc=com
Processing DELETE request for ou=People,dc=example,dc=com
--clientSideSubtreeDelete — Indicates that all delete requests should be processed as client-side subtree deletes by searching for all entries below the target entry and then deleting them.
This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
OK, was able to use dsGetChldPath with BitLocker Recovery Key Article ID:W17521 to complete for now.
works better as we can save the bitlocker stuff...thanks!