Directory Services

Access Control and Object Deletion

Active Directory allows you to delete an object if you have one of the following access rights:

Be aware that the system verifies the security descriptor for both the object and its parent before denying the deletion. This means that an ACE that explicitly denies DELETE access to a user has no effect if the user has DELETE_CHILD access on the parent. Similarly, an ACE that denies DELETE_CHILD access on the parent can be overridden if DELETE access is allowed on the object itself.

To perform a tree-delete operation, for example using the IADsDeleteOps::DeleteObject method, you must have ADS_RIGHT_DS_DELETE_TREE access to the object. If you have this access right, you can delete the object and any child objects regardless of the protections on the child objects. To delete a tree if you do not have ADS_RIGHT_DS_DELETE_TREE access, you must recursively traverse the tree, deleting each object individually. In this case, you must have the necessary DELETE or DELETE_CHILD access for each object in the tree.