How do you exercise dual key control over user account deletion in Directory and Resource Administra (NETIQKB3735)

  • 7703735
  • 02-Feb-2007
  • 19-Jun-2007


How do you maintain 'dual key' control over user account deletion in Directory and Resource Administrator?

Directory and Resource Administrator 6.x

Directory and Resource Administrator 7.x


The 'Recycle Bin' feature of Directory and Resource Administrator (DRA) provides the ability to exercise 'dual key' control over user account deletion.  In other words, an Assistant Admin can be delegated the power to delete a user account, which moves the account to the 'Recycle Bin'.  A second Assistant Admin can then permanently delete that user account, removing it from the 'Recycle Bin' and permanently deleting it from Active Directory.

To perform this, Directory and Resource Administrator (DRA) has two separate powers.

  • Delete A User Account - Deletes the user account and places that account in the Recycle Bin.
  • Permanently Delete A User From Recycle Bin -  The power to remove a user from the Recycle Bin thereby permanently deleting that account.

An example of how to implement this 'dual key' protection is as follows:

  1. Launch the DRA MMC logged in as an Assistant Admin with, at minimum, the 'Built-In Security' role and create two 'ActiveViews' with the following specifications:
    • ActiveView One:
      • Include all users in all domains.
      • Grant the Assistant Admin One the 'Delete A User Account' power.
    • ActiveView Two:
      • Create an 'Include' rule to include all users in all domains.
      • Create an 'Exclude' rule to exclude all OU's with name matching * and members that are users.
  2. Grant the Assistant Admin Two the Permanently Delete A User From Recycle Bin power.

Assistant Admin One will be able to delete user accounts while Assistant Admin Two will be able to permanently delete user accounts from the Recycle Bin.


The Recycle Bin is only available for Windows 2000 or later domains. 

Additional Information

Formerly known as NETIQKB3735