Delete objects from Active Directory Schema?

[ADB100]

I had an application installed that created its own attributes/objects in the Active Directory Schema. This application is not longer installed but all the objects are still in the Schema (quite a lot). How can I remove these? I have tried ADSIEDIT but if I select any of the attributeSchema objects and try to delete them I get a message saying 'The requested delete operation could not be performed'.

How can I do this?

Thanks

Andy

 

[coco10]

hi, try with ntdsutil.exe it come with windows , check de help of this tool.
for more info try this

http://www.petri.co.il/download_free_reskit_tools.htm

sorry my english
hope its help!
coco10

 

[aftertaf]

register the schema snap in...

Gaining Access to the Active Directory Schema MMC Snap-In
By default, the Active Directory Schema MMC snap-in is not listed as an available snap-in. If the Active Directory Schema MMC snap-in is not available, perform the following steps to enable it:
1. Click Start, and then click Run.
2. In the Open box, type regsvr32 schmmgmt.dll, and then click OK.

even though the domain controller is the schema owner, by default you cannot edit the schema. You must enable the The Schema may be modified on this Domain Controller option in the Active Directory Schema MMC snap-in to modify the schema.
RESOLUTION
To resolve this issue, enable schema modification:
1. Click Start, and then click Run. In the Open box, type mmc, and then click OK.
2. When MMC starts, click Add/Remove Snap-in on the Console menu.
3. Click Add.
4. Click Active Directory Schema, click Add, and then click Close.
5. Click OK.
6. Right-click Active Directory Schema, and then click Operations Master.
7. Click The Schema may be modified on this Domain Controller.
8. Click OK.
thx ms website

Aftertaf (david)
MCSA 2003

 

[ADB100]

aftertaf

I have already tried this - you cannot delete anything from the AD Schema Snap-in. You can deactivate classes & attributes but you cannot delete them. It appears this is by design on Microsofts part, but I have seen references to undocumented procedures for deleting classes & attributes?

Thanks

Andy

 

[aftertaf]

The biggest difficulty with Active DIrectory schema is that changes can not be undone."
--hmmm!

have you checked the ACLs on the objects you want to delete to see if the account you use has the right to ?

and, is it worth possibly killing your forest trying to remove these objects??

you can specify to not replicate these objects if you have a large forest with many global catalogs..


Aftertaf (david)
MCSA 2003

 

[ADB100]

aftertaf

This isn't a production environment so if it all goes to rat-sh*t then it's not a big problem. There are about 70 Classes and over 300 Attributes that are defunct. I just want to remove them without having to remove AD and then re-add it.

andy

 

[aftertaf]

hehehe...
break it break it
(beavis n butthead flashback!!)


apparently if you are trying to modify the schema you have to
1. do it on the schema ops master
2. set schema modifs to enabled
3. have the permissions set on the object to let you do the modif.

then, normally you can delete using adsiedit
are you running adsiedit on the schema master?

if Yes to all these, then bugger if i know.. :/
good luck



Aftertaf (david)
MCSA 2003

 

[mlichstein]

Deleting items from the schema is an extremely bad idea. It is not supported at all.

If you have a 2003 forest, you can defunct schema items, which would solve the problem you are having. This functionality does not exist in 2000.

 

[ADB100]

So I neeed to kill off my AD and create another one to clear these out then?

Andy

 

[mlichstein]

Why do you need to remove them?

 

[ADB100]

As I said this is a non-production environment server, the domain had an application server installed that created its own AD Attributes & Classes. These were for testing only and now have no function so I would like them removed; there are about 70 classes and over 300 attributes. I just want to clean up the Schema.......

Andy

 

[mlichstein]

You won't gain anything by removing them, except possibly a broken domain. Since the application isn't installed, the schema extensions aren't going to be used.