IT is not uncommon to get an error stating that you have insufficient privileges in windows, but you may get the following error even when you are an administrator:

You do not have sufficient privileges to delete CN=iPhone$ABCDEFGHIJK...

Error Message.JPG

Note that the object you are attempting to delete is is a phone and not the user account that you are actually trying to delete.  You could possibly also see other object names for various other phone models.  We have see similar errors with phones like:

  • SAMSUNGSMG530T
  • SAMSUNGSMG550T
  • SAMSUNGSMG890
  • SAMSUNGSMG900A
  • SAMSUNGSMG900T
  • SAMSUNGSMG900V
  • SAMSUNGSMG920A
  • SAMSUNGSMG925
  • SAMSUNGSMJ700T
  • SAMSUNGSMN900T
  • SAMSUNGSMN915
  • SAMSUNGSMN920
  • SAMSUNGSMP600
  • SAMSUNGSMT800
  • WindowsMail
  • Android
  • BlackBerry
  • iPad
  • iPhone
  • htcbravo
  • HTC6525LVW
  • HTCOneM8
  • HTCOneM9
  • LGPhone
  • LGTablet
  • MotoDROIDRAZR
  • MotoXT1080
  • Outlook
  • SAMSUNGSGHI747
  • SAMSUNGSGHM919N
  • SAMSUNGSGHT999

The problem is not due to your rights tot he user but rather to an object within the users Active Directory container.  In this case the sub-object is an Exchange ActiveSync object for a phone.  You must delete this object before you will be able to remove the user account.  This must be done using ADSIEDIT since the Active Directory Users and Computers tool does not give access to these objects. Here is how to clean things up:

1. Run adsiedit.msc  (This may need to be done on a Domain Controller)

2. Navigate to the OU where the user is located and then click on the user

3. Below the user account you should see CN=ExchangeActiveSyncDevices

4. If you select CN=ExchangeActiveSyncDevices in the left panel you will see the phones that have been synced in the middle pane.  Select each phone and delete them.

5. If you are unable to delete any of the phones you will need to take ownership of the object(s).  

5a. Right click the phone and click Properties

5b. On the "Properties" dialog box choose the Security tab

5c. Try to give yourself right.  If you fail follow steps 5d - 5

5d. Click the Advanced button

5e. Select the Owner tab

5f. Find your account, select it and click ok to make yourself the owner

6. You should now be able to delete the phone record in the middle panel

7. Repeat the process for all phone record.

8. Go back to Active Directory Users and Computers and you should be able to delete the user.

 

 

 

 

3 Comments