Can't delete OU....it's NOT delete-protected

Question

I have a small AD domain with one 1st-level OU that cannot be deleted. It has no child objects anymore.

My account is a Domain Admin and Enterprise Admin.

There's no Delete, Move, Cut or Rename command on the OU's Context menu or the MMC Action menu, with or without "View as containers" enabled. Other OUs offer the normal commands; it's specific to this one.

Here are all the things that haven't worked:

"Protect from accidental deletion" is turned off. Have also turned it on, click Apply, and turned it off and clicked OK.

If I try to delete from GPMC, I get "Access is denied".

I've reset the ACL in Properties/Security/Advanced.

I've checked Effective Permissions on the OU for my account in Properties/Security/Advanced; all are Allow.

I've logged on to the DC as <DOMAIN>\Administrator and tried.

I've issued this command in an elevated PS session--

Remove-ADOrganizationalUnit -Identity "OU=OUName,DC=DOMAIN,DC=LOCAL" -Recursive 

--which produces this output--

Remove-ADOrganizationalUnit : The requested delete operation could not be performed
At line:1 char:1
+ Remove-ADOrganizationalUnit -Identity "OU=OUName,DC=DOMAIN,DC=LOCAL" ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (OU=OUName,DC=DOMAIN,DC=LOCAL:ADOrganizationalUnit) [Remove-AD
   OrganizationalUnit], ADException
    + FullyQualifiedErrorId : ActiveDirectoryServer:8398,Microsoft.ActiveDirectory.Management.Commands.RemoveADOrganiz
   ationalUnit

My next instinct is to try with ADSIEDIT, but I don't want to mangle the domain in the process. Next step?

Answer 1

It may be a default OU. Try setting the default to some other container / OU

--please don't forget to Accept as answer if the reply is helpful--

Answer 2

Hello,

Thank you so much for posting here.

1, We are wondering whether the OU is built-in or manually created. If it is the default OU, there will be no Delete, Move, Cut or Rename command on the OU's Context menu as shown below. While if manually created, there are these commands.

2, In my test, if the OU is protected object from accidental deletion, we will get "Access is denied" when trying to delete it from GPMC. Once unchecking this option, the manually created OU could be deleted.

For any question, please feel free to contact us.

Best regards,
Hannah Xiong

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 3

@Anonymous , my next site visit is not yet scheduled but I will check. I'd be really surprised if it was set as a default OU but maybe it is. One never knows what one will find in small biz IT.

@Anonymous , the OU was manually created, and, again, delete protection is NOT enabled.

Answer 4

Sounds good, let us know.

--please don't forget to Accept as answer if the reply is helpful--

Answer 5

@Anonymous , it only took me 3 months to circle back to this! You were right: The undeletable OU was set as the default Computer OU. I set it back to domain.local\Computers and was able to delete the previously-default OU.

Thanks!