Home/ Questions/Q 7873775
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-03T02:36:40+00:00

I’m building out a decommissioning application that will allow an individual to provide an

  • 0

I’m building out a decommissioning application that will allow an individual to provide an computer name and the utility will go out and purge the computer record from various locations. I’m running into a problem when attempting to delete a computer account from Active Directory. I’m impersonating a service account that only has rights to “Delete All Child Objects” within a particular OU structure. The code below works if I run it with my domain admin account; however fails with an “Access Denied” when I run it with the impersonated service account. I have verified that the permissions are correct within AD as I can launch Active Directory Users and Computers using a “runas” and providing the service account credentials and I can delete computer objects perfectly fine.

Wondering if anyone has run into this before or has a different way to code this while still utilizing my current OU permissions. My gut tells me the “DeleteTree” method is doing more then just deleting the object.

Any assistance would be appreciated. 

Sub Main()
    Dim strAsset As String = "computer9002"
    Dim strADUsername As String = "serviceaccount@domain.com"
    Dim strADPassword As String = "password"
    Dim strADDomainController As String = "domaincontroller.domain.com"

    Dim objDirectoryEntry As New System.DirectoryServices.DirectoryEntry
    Dim objDirectorySearcher As New System.DirectoryServices.DirectorySearcher(objDirectoryEntry)
    Dim Result As System.DirectoryServices.SearchResult
    Dim strLDAPPath As String = ""

    Try
        objDirectoryEntry.Path = "LDAP://" & strADDomainController

        objDirectoryEntry.Username = strADUsername
        objDirectoryEntry.Password = strADPassword

        objDirectorySearcher.SearchScope = DirectoryServices.SearchScope.Subtree
        objDirectorySearcher.Filter = "(&(ObjectClass=Computer)(CN=" & strAsset & "))"

        Dim intRecords As Integer = 0

        For Each Result In objDirectorySearcher.FindAll
            Console.WriteLine(Result.Path)
            Diagnostics.Debug.WriteLine("DN: " & Result.Path)
            Dim objComputer As System.DirectoryServices.DirectoryEntry = Result.GetDirectoryEntry()
            objComputer.DeleteTree()
            objComputer.CommitChanges()
            intRecords += 1
        Next

        If intRecords = 0 Then
            Console.WriteLine("No Hosts Found")
        End If

    Catch e As System.Exception
        Console.WriteLine("RESULT: " & e.Message)
    End Try
End Sub
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    If you’re on .NET 3.5 and up, you should check out the System.DirectoryServices.AccountManagement (S.DS.AM) namespace. Read all about it here:

    Basically, you can define a domain context and easily find users and/or groups in AD:

    ' set up domain context
Dim ctx As New PrincipalContext(ContextType.Domain, "DOMAIN", strADUsername, strADPassword)

' find a computer
Dim computerToDelete As ComputerPrincipal = ComputerPrincipal.FindByIdentity(ctx, strAsset)

If computerToDelete IsNot Nothing Then
    ' delete the computer, if found
    computerToDelete.Delete()
End If

    The new S.DS.AM makes it really easy to play around with users and groups in AD!

    • 0