Removing Objects from Active Directory

If you no longer want an object to be in Active Directory, you can delete it permanently using the DSRM command. The syntax for DSRM is

dsrm ObjectDN ... [-subtree [-exclude]] [-noprompt] [{-s Server | -d  Domain}] [-u UserName] [-p {Password | *}] [-c] [-q] [{-uc | -uco |
-uci}] 

The best way to use DSRM is to pass it a specific object to remove. In this example, you delete the engcomp18 computer account from the Eng OU in the cpandl.com domain:

dsrm "CN=engcomp18,OU=Eng,DC=cpandl,DC=com"

By default, DSRM prompts you to confirm the deletion:

Are you sure you wish to delete CN=engcomp18,OU=Eng,DC=cpandl,DC=com 
(Y/N)?

You can disable the prompt using the –noprompt switch, such as in the following example:

dsrm "CN=engcomp18,OU=Eng,DC=cpandl,DC=com" –noprompt 

However, you should only do this when you are absolutely certain that DSRM will delete only the object you expect it to.

DSRM can be used to delete objects in containers or OUs as well as the containers and OUs themselves. If the container or OU is empty, you would delete it by its DN, such as

dsrm "OU=Eng,DC=cpandl,DC=com"

If the container or OU is not empty, it cannot be deleted in this way, however, and DSRM will report:

Failed: The operation cannot be performed because child objects exist. 
This operation can only be performed on a leaf object.

To delete the container and all the objects it contains, you can use the –Subtree parameter. Consider the following example:

dsrm "OU=Eng,DC=cpandl,DC=com" -subtree

Here, you use –Subtree to delete all the objects (regardless of type) from the Eng OU as well as the container itself. To delete all the objects in the container but not the container itself, you can use the –Subtree and –Exclude parameters. Consider the following example:

dsrm "OU=Eng,DC=cpandl,DC=com" -subtree -exclude

Here, you use –Subtree to delete all the objects (regardless of type) from the Eng OU and use the –Exclude parameter to exclude the Eng OU as one of the objects to delete.