I'm having a strange problem with an account: when FIM tries to delete it, the AD MA reports the error "The directory service can perform the requested operation only on a leaf object."
If I check the account in AD, I see that it has indeed a child object, of type msExchActiveSyncDevice. However, the account used by the AD MA has full control over the users' OU and descendant objects, so it should be able to delete that as well. If I check the permissions on that object explicitly, I see that the AD MA account *has* full control over it, and I see nothing particular about the permissions for this object (e.g. a deny permission somewhere).
It's the first time that I see this error, so I would guess that the best approach will be to assume that something has gone bananas with that object, delete it manually and forget about it, but if someone has some insights it would be great...
Cheers,
Paolo
Paolo Tedesco - http://cern.ch/idm