Compartir a través de


Removing leaf objects from Active Directory

 

Not recently I had a customer whose migration , one way or another, was being blocked due to leaf objects existing under an AD User entry. They said they couldn't find any script online through Google or Bing that they could "borrow". I'm not really an Active Directory guy but I like scripting so I took a stab at it.

In these scripts the usual suspects you may want to modify include but aren't limited to:

  • Search Root
  • (LDAP)Filters in case you don't want to remove the leaf objects underneath all users
  • User Output

 

The Script using AD Cmdlets

 param
(
    $root = "ou=myTestOU,dc=contoso,dc=com"
)# Import the AD Module
Import-Module ActiveDirectory
# Get all users using a provided searchbase.
$users = Get-ADUser -Filter * -SearchBase $root
# Loop through the users
foreach($user in $users)
{
    # Find all AD objects one level below the user
    $objs = Get-ADObject -Filter * -SearchScope `
    oneLevel -SearchBase $user.DistinguishedName
    
    # Performance a recursive delete to remove those leaf objects
    if($objs)
    {
        Write-Host "Removing leaf objects..."        
        $objs | Remove-ADObject -Recursive
    } 
}

 

 

The Script using direct .NET Framework access

 param
(
    $root = "LDAP://ou=MyTestOU,dc=contoso,dc=com",
    $scope = "subtree",
    $LDAPFilter = "(&(objectcategory=User))"
)# Set up the DirectorySearcher object
$s = New-Object -TypeName System.DirectoryServices.DirectorySearcher
$s.SearchRoot = [adsi]$root
$s.SearchScope = $scope
$s.Filter = $LDAPFilter
# Find all matches
$result = $s.FindAll()
# Enumerate through all matches
foreach ($item in $result)
{
    $entry = $item.GetDirectoryEntry()    
    # Enumerate through the children and delete them
    foreach($obj in $entry.children)
    {
        "Deleting $($obj.DistinguishedName)"
        $leaf = [adsi]"LDAP://$($obj.DistinguishedName)"
        $leaf.psbase.DeleteTree()
    }
}