3.2.8 Example 8: Delete a User Account

In this example, an administrator deletes a user account. This includes directory objects of class user as well as objects of classes that are derived from the user class. One way to delete a user account is to use the LDAP. To perform this task, an administrator runs a client application on a client computer and targets a directory server in the Active Directory system. The client application uses LDAP to delete the user account.

This example applies only to AD DS.

This example uses LDAP.

This example covers the use case in section, Delete an Account - Client Application.


The general requirements described in section 2.6, Assumptions and Preconditions.

The Active Directory system meets all preconditions described in section

Initial System State


Final System State

The specified user object is successfully converted into a tombstone or deleted-object, depending on whether the Recycle Bin optional feature is enabled, as specified in [MS-ADTS] sections and

Sequence of Events

The following sequence diagram shows the message flow that is associated with this example.

Message flow for deleting a user account

Figure 53: Message flow for deleting a user account

Unless otherwise noted, all responses that include a return code contain a return code that indicates that the operation was performed successfully.

  1. The client application starts and sends an LDAP bind request ([RFC2251] section 4.2) to the directory server with credentials.

  2. The directory server verifies the credentials ([MS-AUTHSOD] section 2) and sends an LDAP bind response ([RFC2251] section 4.2.3) to the client application.

  3. The user interacts with the client application and provides details of the search criteria to be performed on the directory tree. The client application sends an LDAP search request ([RFC2251] section 4.5.1) to the server, querying the entire domain. It starts at the root of the domain, looks for the user ([MS-ADSC] section 2.246), and requests the user's distinguishedName attribute.

  4. The server sends an LDAP search response ([RFC2251] section 4.5.2) that contains the distinguishedName attribute of the user.

  5. The client application sends an LDAP delete request ([RFC2251] section 4.8) to the server that contains the distinguishedName attribute of the user to be deleted.

  6. The server processes the delete request ([RFC2251] section 4.8), verifies the processing rules and constraints, and then deletes the user object ([MS-ADTS] section It then sends an LDAP delete response ([RFC2251] section 4.8) that indicates success.

  7. The client application sends an LDAP unbind request ([RFC2251] section 4.3) to the server. The LDAP connection to the directory server is closed.