Delete Users

AD Root Domain Tombstone Objects

When an Active Directory (AD) user is deleted from AD, the user record is removed from the list of Active Directory objects and then classed as a Tombstone object for a period of time (30 days by default). This time period allows other domain controllers in your network to synchronize their Active Directory databases. Once this time period has elapsed, the object is permanently deleted from the Active Directory database.

Granting Read permissions to Tombstone objects

1. Log on to any domain controller in the target domain with a user account that is a member of the Domain Admins group

2. From Search type: cmd, then right mouse click Command Prompt and select Run as administrator

3. Input the following command: “dsacls <deleted_object_dn> /takeownership” where <deleted_object_dn> is the distinguished name of the Tombstone directory object. For example:

   dsacls "CN=Deleted Objects,DC=WizbangWidgets,DC=com" /takeownership

4. To grant permission to view objects in the Deleted Objects container to a user or a group, type the following command: “dsacls <deleted_object_dn> /G <user_or_group> : ” where <deleted_object_dn> is the distinguished name of the deleted directory object, <user_or_group> is the user or group for whom the permission applies to, and is the elevated permission to grant. For example:

   dsacls "CN=Deleted Objects,DC=WizbangWidgets,DC=com" /G WizbangWidgets\svc_HelpMaster:LCRP

In the above example, the HelpMaster service account user WizbangWidgets\svc_HelpMaster has been granted List Contents and Read Property permissions for the Deleted Objects container in the WizbangWidgets.com domain. These permissions allow the service account to view the contents of the Deleted Objects container, but does not let it make any changes to objects in this container.

Scan the tombstone for these Active Directory Domains

Click the Add button to browse to your AD Domains and select the Domains you wish to scan for tombstone objects. Only the root domains will be listed without any OU containers e.g. …wizbangwidgets.com. Any synchronized HelpMaster users that match the tombstone objects in the selected domains will be removed (deleted) from HelpMaster.

Entra ID Deleted Users Group

For HelpMaster v24.7+ the Entra ID tombstone group for deleted users is actually a group called “Deleted Users”. All deleted users will be stored here for 30 days in a suspended state, after which they will be permanently deleted. Additional API permissions are required beyond the standard emailing Azure Microsoft 365 integration configuration. These are Group.Read.All and TeamMember.Read.All Application permissions. For further information see Granting Graph API Permissions

Deleted User OU/Group Folders

Another option that is common in Active Directory administration is to simply move the user to an AD OU or Entra ID Group designated as a Deleted users container. Using this method you don’t actually delete a user from AD or Entra ID - you only move the user to a location that is understood to hold inactive users that you wish to remove from HelpMaster. The user account would usually marked as disabled in Active Directory. Moving a user account to a holding Delete OU/Group folder allows a user to still exist, albeit in an inactive state, so that they may be re-activated at a later time if necessary. The final effect is that when users are moved to this Delete container, the HelpMaster AD service will delete them from the HelpMaster database only.

Scan specific folders that contain “deleted” users

Click the Add button and browse to any OU/Groups designated as delete OU/Groups. Select these to delete any synchronized HelpMaster clients that are in these containers. If no specific delete OU or Groups exist, your system administrator needs to create a new OU container and name it something like Delete HelpMaster Users.

See Also

Active Directory profiles

Active Directory service

Deleting entities

Azure Microsoft 365 Integration