You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The AD Computer object should be destroyed from the domain
Actual Behavior
When a Computer object has had a Service Connection Point created as a sub-object, the Remove-ADComputer command fails because it can't execute on a Leaf object. (An object with sub-containers.)
Steps to Reproduce
We are creating Virtual Machines in Azure, we are pre-creating the AD Computer object with this provider for two reasons:
We can create it in a specific OU
(More Importantly) We want to remove the computer object when that VM is destroyed to keep our domain clean
When you create a Virtual Machine in Azure, it Automatically creates a "Windows Virtual Machine" serviceConnectionPoint object as a sub-object of the computer. You can see this by running:
When destroying the computer object that was initially created with the ad_computer resource, it causes the Remove-ADComptuer command to fail:
│ Error: error while deleting a computer object with id "7114a6de-30d2-452d-b749-5cf256e8fab5": Remove-ADComputer exited with a non zero exit code (1), stderr: Remove-ADComputer : The directory service can perform the requested operation only on a leaf objectAt line:4 char:2
│ Remove-ADComputer -confirm:$false -Identity "7114a6de-30d2-452d-b749 ...
Important Factoids
This could be fixed by replacing the Remove-ADComputer command with Remove-ADObject, you can keep the -Identity and -Confirm parameter, but add a -Recursive switch:
These SCPs aren't manually created, it seems useless to try and build a way to pre-create them with the provider to contain them within state. I don't see a downside with changing the command if the intent is to remove that object anyways.
Community Note
Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
If you are interested in working on this issue or have submitted a pull request, please leave a comment
The text was updated successfully, but these errors were encountered:
Adding -recursive flag also deletes child objects that are "protected from accidental deletion". However, if you follow the precedent of how this provider handles other resources that are flagged as delete protected, protections are removed during the destroy. (see the set-adobject example from resource_ad_ou below).
Terraform Version and Provider Version
Terraform v1.2.4
AD Provider v0.4.4
Windows Version
Running from Windows and Linux
Affected Resource(s)
Terraform Configuration Files
Expected Behavior
The AD Computer object should be destroyed from the domain
Actual Behavior
When a Computer object has had a Service Connection Point created as a sub-object, the
Remove-ADComputer
command fails because it can't execute on a Leaf object. (An object with sub-containers.)Steps to Reproduce
We are creating Virtual Machines in Azure, we are pre-creating the AD Computer object with this provider for two reasons:
When you create a Virtual Machine in Azure, it Automatically creates a "Windows Virtual Machine" serviceConnectionPoint object as a sub-object of the computer. You can see this by running:
Get-ADObject -Filter {objectClass -eq "serviceConnectionPoint"} -SearchBase "CN=VM-Name,OU=Servers,DC=exampledomain,DC=local"
When destroying the computer object that was initially created with the
ad_computer
resource, it causes theRemove-ADComptuer
command to fail:Important Factoids
This could be fixed by replacing the Remove-ADComputer command with Remove-ADObject, you can keep the -Identity and -Confirm parameter, but add a -Recursive switch:
Remove-ADObject -Identity {resource.ad_computer.id} -confirm:$false -recursive
These SCPs aren't manually created, it seems useless to try and build a way to pre-create them with the provider to contain them within state. I don't see a downside with changing the command if the intent is to remove that object anyways.
Community Note
The text was updated successfully, but these errors were encountered: