ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

[PAM] LDAP User removed from LDAP Group but does not get removed from PAM Users list.


Article ID: 197001


Updated On:


CA Privileged Access Manager (PAM)


In the PAM Users an LDAP Group named "PAM Admins" was imported with following users.





Later TestUser1 was removed from LDAP but this TestUser1 still exist in PAM and cannot be deleted.



It is possible the user is configured as a recipient for reports.



Release : 3.x.x



Report recipients cannot be deleted and they must be removed from the report recipient or the report need to be deleted.

Goto "Sessions -> Logs -> Reports -> Manage Reports" and look for Custom reports (generated by the Admins) and see if the problematic user is set to be notified.

Following are the Out of the Box custom reports that you should not delete.

10.2.3 Track Audit Policy Change
10.2.6 Audit Logs Access
PCI 10.2.1 User Login
PCI 10.2.1 User Logout
PCI 10.2.4 Failed User Login
Telemetry Tracking Report
Unfiltered Logs


The custom report that is generated by the problematic user must be deleted.

One way to identify who created the custom report would be to check at the "Email" tab of the report to see (if email notification is enabled) if an email address is entered. That may give hint to who may have created it.

If you have multiple user created custom reports and do not know which one to delete then please contact support referencing this KB article.


Once the custom reports are deleted, in the next LDAP Sync cycle the user account should be removed successfully.