Access Control and Object Deletion

Active Directory Domain Services enable you to delete an object if you have one of the following access rights:

  • DELETE access to the object itself
  • ADS_RIGHT_DS_DELETE_CHILD access for that object type on the parent container

Be aware that the system verifies the security descriptor for both the object and its parent before denying the deletion. This means that an ACE that explicitly denies DELETE access to a user has no effect if the user has DELETE_CHILD access on the parent. Similarly, an ACE that denies DELETE_CHILD access on the parent can be overridden if DELETE access is allowed on the object itself.

To perform a tree-delete operation, for example using the IADsDeleteOps::DeleteObject method, you must have ADS_RIGHT_DS_DELETE_TREE access to the object. If you have this access right, you can delete the object and any child objects regardless of the protections on the child objects. To delete a tree if you do not have ADS_RIGHT_DS_DELETE_TREE access, you must recursively traverse the tree, deleting each object individually. In this case, you must have the necessary DELETE or DELETE_CHILD access for each object in the tree.

Warning

If users have ADS_RIGHT_DS_DELETE_TREE access for an object, this gives them the ability to delete a whole subtree, including all child objects. For this reason, you may consider revoking "Delete Subtree" access permission for all users on a parent container.