Unable to delete the Demoted server Object from Active directory users and computers after a successful demotion using metadata cleanup

Today we are going to demonstrate a small workaround,that might come in handy when and if you come across , while demoting a domain controller .

Post metadataclenup :


we can see that the server has been demoted, which previously was a GC , and now it is not :

no more gc

,post this , we generally delete the server object of ad sites and services(dssite.msc and remove the replication backlink entry for the server object from Global settings under topology as shown below :


Now that the easy part.

When we come to deleting the computer object from dsa.msc AKA AD users and computers , you would often get this error :


the Error clearly states that the object is protected from accidental deletion .

Upon investigation we found that it was not, as shown below :


As we can clearly say that the object is not protectec from accidental deletion .

Upon investigating further , I found that ,even when we try to delete the object from ADSIEDIT.MSC, we either get :




Even after granting full inheritable access to the superuser, we at times wont be delete the object .


Here we see that my user , the Administrator, has full inheritable rights to the object , but still we are facing the challenge.

In this case , we have to go to the properties of the demoted server object [dc2, in this case and look for an attribute isCriticalSystemObject . It would be by default set to true :


The trick lies here , we have to set this property of the attribute to “not set??? :


Apply the changes and relaunch the dsa.msc and try to delete the server object :


You would be getting a warning as such :


Click yes

and try to delete the server object . You would be successful in removing the server object :


Hope this was helpful.

Happy learning !!


Like this post? Please share to your friends:
Comments: 1
  1. Nelson

    Good done MAX…..

Leave a Reply