Unable to Delete Users with Leaf Objects
Specops Password Policy, Password Reset, and uReset/Specops Authentication all use leaf objects under user accounts for the purposes of storing user specific information — for Password Policy this includes password history and length-based password age information; for Password Reset and uReset/Specops Authentication the leaf object contains user enrollment data.
The advantage of using a leaf object is that it allows us to use Active Directory as the back-end database rather than maintaining a separate database for the information stored here. The leaf objects also allow us to use existing objects/attributes in the default Active Directory schema to store our data rather than making a (permanent) schema extension just for Specops purposes.
The one down-side of leaf objects is that it can make operations such as deleting user accounts cumbersome. For example, removing an AD user with leaf objects via PowerShell produces the following error:
remove-aduser : The directory service can perform the requested operation only on a leaf object
To work around this, it is simply a matter of using the remove-adobject cmdlet which supports a recursive parameter, e.g.:
get-aduser <username>| remove-adobject -Recursive
You will also likely add a -confirm:$false to the end of that line to suppress the confirmation prompt if automating user account removal.