Remained huge number, 12200, of Privileged Accounts after expired request. So, customer deleted requests as manually via GUI. But, it occurred some error and failed delete Account GUI shows following error at deleting Privilege Account Requests: Error deleting: Privileged Account Exception Obj:account id:8952, user id:CN=account01,OU=Users,OU=dept,DC=server,DC=local, start date:Wed Aug 30 00:00:00 JST 2017, valid until:Wed Sep 13 14:00:00 JST 2017, approver id:CN=Approver01,OU=Users,OU=dept,DC=server,DC=local, approver comment:, justification:xxxx, account name:account01, account endpoint:Endpoint01, account endpoint type:SSH Device, user name:account01, valid form:30/08/2017 24:00:00, request time:29/08/2017 05:04:24, approval time:30/08/2017 24:01:03, endpoint type:SSH Device, endpoint name: [facility=4 severity=2 reason=0 status=38 message=No items found]
Cause
The error is caused by deleting AD user as requester. PIM search requests with user information as LDAP, so it failed to find correct data and failed to delete record.
Environment
OS: Windows 2012 Prod: CA Privileged Identity Manager r12.8 CF2 or later for SAM CDB: MS SQLServer 2012 User store: ActiveDirectory
Resolution
Please delete as following steps with direct SQL statement: * Note: Please backup to restore all data before these steps.
1. Connect to the ENTM Database. 2. Back up the PRIVILEGED_ACC_EXCEPTION table (Just in case we need to refer for further) 3. Run the below query to fetch the number of records associated with the deleted users by providing the list of usersid's.
select * from [ACENTMDB].[dbo].[PRIVILEGED_ACC_EXCEPTION] WHERE ("IS_DELETED"<> 'true' OR "IS_DELETED" IS NULL) AND convert(datetime, VALID_UNTIL, 105) < GETUTCDATE() AND USER_FRIENDLY_NAME in ('USERID1', 'USERID2', 'USERID3');
4. Run the below query to update the IS_DELETED flag to true by providing list of deleted usersid's.
update [ACENTMDB].[dbo].[PRIVILEGED_ACC_EXCEPTION] set IS_DELETED ='true' WHERE ("IS_DELETED"<> 'true' OR "IS_DELETED" IS NULL) AND convert(datetime, VALID_UNTIL, 105) < GETUTCDATE() AND USER_FRIENDLY_NAME in ('USERID1', 'USERID2', 'USERID3');
5. Navigate to Manage Privileged Account Requests page, we wont see these accounts anymore this page.