Recipe15.14.Deleting an Object

Recipe 15.14. Deleting an Object

Problem

You want to delete an object or container from Active Directory.

Solution

Using a graphical user interface

Open ADSI Edit.
If an entry for the naming context you want to browse is not already displayed, do the following:
1. Right-click on ADSI Edit in the right pane and click Connect to....
2. Fill in the information for the naming context, container, or OU where the object you want to delete is contained. Click on the Advanced button if you need to enter alternate credentials.
In the left pane, browse to the object you want to delete.
Right-click on the object and select Delete.
Click Yes to confirm.

Using a command-line interface

Use the following command to delete a single object:

> dsrm "<ObjectDN>"

Use the following command to delete a container and its child objects:

> dsrm "<ObjectDN>" -subtree

Using VBScript

strObjectDN = "<ObjectDN>" set objUser = GetObject("LDAP://" & strObjectDN) objUser.DeleteObject(0)

Discussion

There is not much difference between deleting a leaf node and deleting a container that has child objects. However, there is a distinction in what is happening in the background.

Deleting an object that has no children can be done with a simple LDAP delete operation. On the other hand, to delete a container and its children, the tree delete LDAP control has to be used. If you were to do the deletion from an LDAP-based tool like LDP, you would first need to enable the Subtree Delete control, which has an OID of 1.2.840.113556.1.4.805. LDP provides another option to do a Recursive Delete from the client side. That will essentially iterate through all the objects in the container, deleting them one by one. The Subtree Delete is more efficient, especially when dealing with large containers.

Using a graphical user interface

If the parent container of the object you want to delete has a lot of objects in it, you may want to add a new connection entry for the DN of the object you want to delete. This may save you time searching through the list of objects in the container and could help avoid accidental deletions. You can do this by right-clicking ADSI Edit and selecting Connect to.... Under Connection Point, select Distinguished Name and enter the DN of the object you want to delete.

Using a command-line interface

The dsrm utility can be used to delete any type of object (no limitations based on object type as with dsadd and dsmod). The only required parameter is the DN of the object to delete. You can also specify -noprompt to keep it from asking for confirmation before deleting. The -s parameter can be used as well to specify a specific server to target.

Using VBScript

Using the DeleteObject method is straightforward. Passing 0 as a parameter is required but does not have any significance at present.

An alternate and perhaps safer way to delete objects is to use the IADsContainer::Delete method. To use this method, you must first bind to the parent container of the object. You can then call Delete by passing the object class and RDN of the object you want to delete. Here is an example for deleting a user object:

set objCont = GetObject("LDAP://ou=Sales,dc=rallencorp,dc=com") objCont.Delete "user", "cn=rallen"

Delete is safer than DeleteObject because you have to be more explicit about what you are deleting. With DeleteObject you only need to specify a distinguished name and it will delete it. If you happen to mistype the DN or the user input to a web page that uses this method is mistyped, the result could be disastrous.