ADComputer: Ensure=Absent does not recursively remove the computer object, fails with, "can perform the requested operation only on a leaf object."

[kellymenzel]

Details of the scenario you tried and the problem that is occurring

When using Ensure=Absent on ADComputer, if the computer object is not a leaf object, the delete fails.

Verbose logs showing the problem

I'm running this in Ansible so the error message looks different, but should be the same message:

{"changed": false, "domain_controller": " ... ", "module_version": "4.2.0.0", "msg": "The directory service can perform the requested operation only on a leaf object The PowerShell DSC resource '[ADComputer]DirectResourceAccess' with SourceInfo '' threw one or more non-terminating errors while running the Set-TargetResource functionality. These errors are logged to 
the ETW channel called Microsoft-Windows-DSC/Operational. Refer to this channel for more details.", "reboot_required": false}

Suggested solution to the issue

Add -Recurse to the Remove-ADComputer command in MSFT_ADComputer.psm1. Does this have any undesired effect?

elseif ($Ensure -eq 'Absent' -and $getTargetResourceResult.Ensure -eq 'Present')
{
    # User exists and needs removing
    Write-Verbose -Message (
        $script:localizedData.RemovingComputerAccount -f $ComputerName
    )

    $removeADComputerParameters = Get-ADCommonParameters @PSBoundParameters
    $removeADComputerParameters['Confirm'] = $false

    Remove-ADComputer @removeADComputerParameters **-Recurse** |
        Out-Null
}

The DSC configuration that is used to reproduce the issue (as detailed as possible)

Configuration ADComputer_AddComputerAccount_Config
{
    Import-DscResource -ModuleName ActiveDirectoryDsc

    node localhost
    {
        ADComputer 'CreateEnabled_SQL01'
        {
            ComputerName = 'DEV-K8S02WW-01'
            Ensure = 'Absent'
        }
    }
}

Ansible

- name: Remove Active Directory computer object
  win_dsc:
    resource_name: ADComputer
    module_version: 4.2.0.0
    ComputerName: DEV-K8S02WW-01
    DomainController: "{{ domain_controller }}"
    Ensure: Absent
  loop:
    - dc1.lab.company.com
    - dc1.corp.company.com
  loop_control:
    loop_var: domain_controller

The operating system the target node is running

OsName               : Microsoft Windows Server 2019 Standard
OsOperatingSystemSKU : StandardServerEdition
OsArchitecture       : 64-bit
WindowsVersion       : 1809
WindowsBuildLabEx    : 17763.1.amd64fre.rs5_release.180914-1434
OsLanguage           : en-US
OsMuiLanguages       : {en-US}

Version and build of PowerShell the target node is running

Name                           Value
----                           -----
PSVersion                      5.1.17763.771
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.17763.771
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Version of the DSC module that was used ('dev' if using current dev branch)

4.2.0.0

[johlju]

Looks like this would be a great enhancement to the resource. If the computer account has child objects then it could be removed by

$getADComputerParameters = Get-ADCommonParameters @PSBoundParameters
Get-ADComputer @getADComputerParameters | Remove-ADObject -Recursive | Out-Null

But this will also delete objects marked as ProtectedFromAccidentalDeletion so maybe we should opt-in to this by specifying a parameter?

[kellymenzel]

I wondered if it would be better to have to opt-in, perhaps by providing a Force or Recurse parameter on the resource. However, it would only make sense in the context of Ensure=Absent, which I would suspect is not a very common use. Most of the times, people will be using this resource to create or change AD computer object and a Recurse parameter might be confusing. I kind of don't think it is necessary, but it is just my opinion.

[johlju]

You have a point. By adding 'Absent' to the resource you are essentially opting in to remove the account regardless. We could just add to the documentation that by using 'Absent' it will remove any child objects that are connected to the computer account.