When deleting a user (via usrmgr.exe or similar), SAMBA appears to remove the relevant objectclass and some attributes, but it doesn't remove all of them, and this can cause the ldap modification to fail. Specifically: [2005/11/02 17:21:17, 0] passdb/pdb_ldap.c:ldapsam_delete_entry(340) ldapsam_delete_entry: Could not delete attributes for uid=test,ou=Users,dc=labs,dc=ntrg,dc=com, error: Object class violation (attribute 'displayName' not allowed) Other objectClasses use displayName (including inetOrgPerson), so I can see why the safe/default behavior would be to leave this alone. But in the absence of those other objectClasses, the attribute is orphaned (as in this case), and the modification fails. The hard/complex/correct behavior would be to probe the other objectclasses and schema, to see if any other bound objectclasses might be using those attributes. A simpler but less-correct method might be to define another option, such as "delete all attributes", which would cause all of the reused attributes WITH THE EXCEPTION OF UID to be deleted.