When trying to delete an LDAP group, PAM gives the following error.
Error: PAM-UI-2404: Error deleting group. A user in the user group CN=PAM Admins,CN=Users,DC=testdomain,DC=com could not be deleted, so the group was not deleted. See session logs for details
In the session logs, the following error is seen.
PAM-CMN-1578: Unexpected result from deleting user group
Looking at the LDAP group again, most users were deleted but one or two still remain.
If a user has created a custom sessions log report, then PAM cannot delete the user.
To delete a custom report, log in with the user and go to Sessions > Logs, then click REPORTS and select Manage Reports. Click the checkbox to select all reports, then click DELETE. Any reports that are left are the default reports for PAM and will not prevent users from being deleted. After deleting the custom reports, the LDAP group can be deleted.
If you cannot logon as the user that could not be deleted to remove any custom report created by that user, and you don't want to delete all custom reports w/o knowing who created them, you will need to raise a case with PAM support to get the problem addressed.