When trying to delete an LDAP group, PAM gives the following error.
Error: PAM-UI-2404: Error deleting group. A user in the user group CN=PAM Admins,CN=Users,DC=testdomain,DC=com could not be deleted, so the group was not deleted. See session logs for details
In the session logs, the following error is seen.
PAM-CMN-1578: Unexpected result from deleting user group
Looking at the LDAP group again, most users were deleted but one or two still remain.
Applies to all PAM releases.
PAM will fail to delete the user under one of the following conditions:
1- If the user has created a custom sessions log report.
2- If the user is part of a Password View Policy.
3- If the user is emailed upon login of another user.
4- If the user is configured under Forced Deactivation Alert.
For Custom Reports:
To delete a custom report, log in with the user and go to Sessions > Logs, then click REPORTS and select Manage Reports. Click the checkbox to select all reports, then click DELETE. Any reports that are left are the default reports for PAM and will not prevent users from being deleted. After deleting the custom reports, the LDAP group can be deleted.
If you cannot logon as the user that could not be deleted to remove any custom report created by that user, and you don't want to delete all custom reports without knowing who created them, you will need to raise a case with PAM Support to get the problem addressed.
It's also possible that on the first try the user was partially deleted in the PAM database, and subsequent tries will fail even after the custom reports are deleted. In that case, you will need to contact PAM Support as well.
For Password View Policies:
Go to Credentials > Workflow > Password View Policies and see if any PVPs have a checkmark under Dual Authorization or Email Notification. View any of those PVPs to see if the user is configured either as an approver or to get email notifications. If so, remove the user from the PVP.
For Email on Login:
View each user in PAM and check the Email on Login field under the Administration tab. If the user is listed there, remove them.
For Forced Deactivation Alert:
Go to Settings > Global Settings, then click the Accounts tab. Check if the user is listed under Forced Deactivation Alert. If so, either change it to another user or remove the current user.
Note at 4.x kindly first apply the PAM_USR_SYNC.p.bin patch as this should resolve this problem or provide more log information to resolve the underlying root cause.