Deleting Specops Password Users
(Last updated on September 24, 2020)
Specops Password Reset and Specops Password Policy both use leaf object in AD to store critical information. For Specops Password Reset (SPR) the enrollment data is stored as an object subordinate to the user in the directory. In Specops Password Policy (SPP) if you choose to enable ‘remembered’ passwords the password history is stored in a locked down leaf also subordinate to the user.
When you try to delete the user you will typically get an error. In PowerShell you would use Remove-ADUser as a logical choice. Unfortunately it won’t work. Remove-ADUser will throw an error that it can only be used on a ‘leaf’ object. That means an object at the end of the tree cannot be removed in this way. Fortunately the AD team ROCKS and has provided a great way to do this. Remove-ADObject has a recursive switch that allows you to delete object with subordinate objects.
Some of you may be aware of a utility you have as part of the SP* admin tools. spObjMgr.exe is used to perform this exact task and was around long before the AD cmdlets. I recently wrote up a postrelated to spObjMgr.exe. I’m most likely using the PowerShell stuff from here out.