MichaelGrafnetter/DSInternals

Remove-ADDBObject : doesn't remove objects

Closed this issue · 1 comments

Hi,

I'm trying to use the Remove-ADDBObject cmdlet to remove broken accounts that I'm not able to remove the regular way. It doesn't work however, either by DN or by ObjectGUID. The command doesn't throw any error and even says it processed the accounts when using the verbose parameter. Tested on either one of the broken accounts and a clean healthy one created for that purpose.

During one of my attempts I left the NTDS service running, and then the command failed (which was expected). But this allowed me to find an event log entry saying that powershell was trying to open the NTDS.dit file in "read-only" mode (but I expected it to do read-write to be able to remove the account).

Any advice on this one ?

Hello @gbrissard , the behavior you are describing is expected. The cmdlet first checks the database metadata, before opening it in R/W mode.

The purpose of the command is to intentionally break Active Directory, not to fix it! See the warning you get without using the -Force parameter:

Warning

This command physically deletes objects from the database. It does not leave tombstones, nor does it remove links and security descriptors associated with this object. As a consequence, database integrity errors and lingering objects will appear. Use at your own risk and never on production databases. To suppress this warning, reissue the command specifying the Force parameter.

Also see the documentation:

Physically removes specified object from a ntds.dit file, making it semantically inconsistent. Highly experimental!

This is definitely not something you would like to do in production environments. Even if it properly removed the associated links and backlinks, the operation would still need to be executed on all DCs, not just on a single one.