Recipe 5.5 Deleting an OU

5.5.1 Problem

You want to delete an OU and all objects in it.

5.5.2 Solution Using a graphical user interface
  1. Open the Active Directory Users and Computers snap-in.

  2. If you need to change domains, right-click on "Active Directory Users and Computers" in the left pane, select Connect to Domain, enter the domain name, and click OK.

  3. In the left pane, browse to the OU you want to delete, right-click on it, and select Delete.

  4. Click Yes.

  5. If the OU contains child objects, you will be asked for confirmation again before deleting it. Click Yes. Using a command-line interface

To delete an OU and all objects contained within, use the -subtree option with the dsrm command. If you don't use -subtree and the object you are trying to delete has child objects, the deletion will fail.

> dsrm "<OrgUnitDN>" -subtree Using VBScript
' This code deletes an OU and all child objects of the OU
set objOU = GetObject("LDAP://<OrgUnitDN>")

5.5.3 Discussion

Deleting OUs that do not contain objects is just like deleting any other type of object. Deleting an OU that contains objects requires a special type of delete operation. The "Tree Delete" LDAP control (OID: 1.2.840.113556.1.4.805) must be used by the application or script to inform AD to delete everything contained in the OU. All three solutions in this case use the control "under the covers," but if you were going to perform the operation via an LDAP, such as LDP, you would need to enable the control first.

5.5.4 See Also

Recipe 4.3 for using LDAP controls and MSDN: IADsDeleteOps::DeleteObject

    Chapter 3. Domain Controllers, Global Catalogs, and FSMOs
    Chapter 6. Users
    Appendix A. Tool List