Delete Outdated Service Account Credential from SMP Account after changing name of AppID in Active Directory while the account was in use
search cancel

Delete Outdated Service Account Credential from SMP Account after changing name of AppID in Active Directory while the account was in use

book

Article ID: 225649

calendar_today

Updated On:

Products

Client Management Suite Server Management Suite IT Management Suite

Issue/Introduction

A recent change to the name of a user account in Active Directory has created a situation where the user is unable to apply the proper credential to an existing account in the SMP (Symantec Management Platform).

Here is an example of what was done in more detail:

  • Original Account Credential: Domain\AppID1
  • Name Changed to Domain\AppID1_newName
  • Attributes: Same account SID, App ID, No Delete

Usually, this is not a problem with normal accounts but because this account was designated as the AppID, it contains an attribute that prevents deletion (NoDelete attribute). Currently, a New AppID is in use but we would like to rotate this service account out with the Domain\AppID1_newName credential.

SIM (Symantec Installation Manager) was updated to use Domain\AppID2, so AppID1 and AppID1_newName can't both be deleted / reset.

How can we completely remove the previously used AppIDs so that we can recreate those as part of our account rotation for the service account to the Domain\AppID1_newName account without conflict for deletion?

 

Cause

Errors generated:

"8/26/2021 12:38:10 PM","Error occured while saving account credential: bf9ba753-12b5-405d-a1c3-3b5b9ee312bc

Error in the application.
   [Altiris.NS.Exceptions.ItemSecurityException @ Altiris.NS]
   at Altiris.NS.ItemManagement.Item.Delete()
   at Altiris.NS.ResourceManagement.Resource.Delete()
   at Altiris.NS.Security.AccountManagement.CredentialManager.Unassign[T](T credential)
   at Altiris.NS.Security.AccountManagement.CredentialManager.UnassignWindowsCredential(String sid)
   at Altiris.NS.UI.Admin.AccountManagement.Users.EditUser.MoveWindowsCredentials(String domain, String credName)
   at Altiris.NS.UI.Admin.AccountManagement.Users.EditUser.MoveCredential(String credType, String credName)
   at Altiris.NS.UI.Admin.AccountManagement.Users.EditUser.SaveCredential(DataRow drCred)
   at Altiris.NS.UI.Admin.AccountManagement.Users.EditUser.SaveCredentials()

Exception logged from: 
   at Altiris.NS.UI.Admin.AccountManagement.Users.EditUser.SaveCredentials()
   at Altiris.NS.UI.Admin.AccountManagement.Users.EditUser.OnClickApply(Object, EventArgs)
   at Altiris.WebControls.ButtonState.RaiseClick()
   at Altiris.WebControls.ButtonListControl.RaisePostBackEvent(String)
   at System.Web.UI.Page.ProcessRequestMain(Boolean, Boolean)
   at System.Web.UI.Page.ProcessRequest(Boolean, Boolean)
   at System.Web.UI.Page.ProcessRequest()
   at System.Web.UI.Page.ProcessRequest(System.Web.HttpContext)
   at Altiris.NS.UI.Controls.PageCachePage.ProcessRequest(System.Web.HttpContext)
   at Altiris.NS.UI.AltirisPage.ProcessRequest(System.Web.HttpContext)
   at System.Web.HttpApplication+CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStepImpl(System.Web.HttpApplication+IExecutionStep)
   at System.Web.HttpApplication.ExecuteStep(System.Web.HttpApplication+IExecutionStep, Boolean&)
   at System.Web.HttpApplication+PipelineStepManager.ResumeSteps(Exception)
   at System.Web.HttpApplication.BeginProcessRequestNotification(System.Web.HttpContext, AsyncCallback)
   at System.Web.HttpRuntime.ProcessRequestNotificationPrivate(System.Web.Hosting.IIS7WorkerRequest, System.Web.HttpContext)
   at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr, IntPtr, IntPtr, Int32)
   at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr, IntPtr, IntPtr, Int32)

User [Domain\AppID2], Auth [Domain\LoggedinUser], AppDomain [/LM/W3SVC/1/ROOT/Altiris/NS-2-132744729497591738]

HTTP [POST]: https://SMP/Altiris/NS/Admin/AccountManagement/Users/EditUser.aspx?ItemGuid=bf9ba753-12b5-405d-a1c3-3b5b9ee312bc
 ip: [160.125.214.21]; languages: [en-US,en;q=0.9]; content-length: [302346];
 timings: [[R] 00:00:00.7343738(W: 00:00:00)];
 response: [200 OK]; x-smp-nsversion: [8.5.5713.0];
","Altiris.NS.UI.Admin.AccountManagement.Users.EditUser.SaveCredentials","Altiris.Web.NS.dll","13","Errors"
"8/26/2021 12:38:10 PM","MoveWindowsCredentials()

Error in the application.
   [Altiris.NS.Exceptions.ItemSecurityException @ Altiris.NS]
   at Altiris.NS.ItemManagement.Item.Delete()
   at Altiris.NS.ResourceManagement.Resource.Delete()
   at Altiris.NS.Security.AccountManagement.CredentialManager.Unassign[T](T credential)
   at Altiris.NS.Security.AccountManagement.CredentialManager.UnassignWindowsCredential(String sid)
   at Altiris.NS.UI.Admin.AccountManagement.Users.EditUser.MoveWindowsCredentials(String domain, String credName)

Exception logged from: 
   at Altiris.NS.UI.Admin.AccountManagement.Users.EditUser.MoveWindowsCredentials(String, String)
   at Altiris.NS.UI.Admin.AccountManagement.Users.EditUser.MoveCredential(String, String)
   at Altiris.NS.UI.Admin.AccountManagement.Users.EditUser.SaveCredential(System.Data.DataRow)
   at Altiris.NS.UI.Admin.AccountManagement.Users.EditUser.SaveCredentials()
   at Altiris.NS.UI.Admin.AccountManagement.Users.EditUser.OnClickApply(Object, EventArgs)
   at Altiris.WebControls.ButtonState.RaiseClick()
   at Altiris.WebControls.ButtonListControl.RaisePostBackEvent(String)
   at System.Web.UI.Page.ProcessRequestMain(Boolean, Boolean)
   at System.Web.UI.Page.ProcessRequest(Boolean, Boolean)
   at System.Web.UI.Page.ProcessRequest()
   at System.Web.UI.Page.ProcessRequest(System.Web.HttpContext)
   at Altiris.NS.UI.Controls.PageCachePage.ProcessRequest(System.Web.HttpContext)
   at Altiris.NS.UI.AltirisPage.ProcessRequest(System.Web.HttpContext)
   at System.Web.HttpApplication+CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStepImpl(System.Web.HttpApplication+IExecutionStep)
   at System.Web.HttpApplication.ExecuteStep(System.Web.HttpApplication+IExecutionStep, Boolean&)
   at System.Web.HttpApplication+PipelineStepManager.ResumeSteps(Exception)
   at System.Web.HttpApplication.BeginProcessRequestNotification(System.Web.HttpContext, AsyncCallback)
   at System.Web.HttpRuntime.ProcessRequestNotificationPrivate(System.Web.Hosting.IIS7WorkerRequest, System.Web.HttpContext)
   at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr, IntPtr, IntPtr, Int32)
   at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr, IntPtr, IntPtr, Int32)

User [Domain\AppID2], Auth [Domain\User], AppDomain [/LM/W3SVC/1/ROOT/Altiris/NS-2-132744729497591738]

HTTP [POST]: https://SMP/Altiris/NS/Admin/AccountManagement/Users/EditUser.aspx?ItemGuid=bf9ba753-12b5-405d-a1c3-3b5b9ee312bc
 ip: [10.10.214.21]; languages: [en-US,en;q=0.9]; content-length: [302346];
 timings: [[R] 00:00:00.7343738(W: 00:00:00)];
 response: [200 OK]; x-smp-nsversion: [8.5.5713.0];
","Altiris.NS.UI.Admin.AccountManagement.Users.EditUser.MoveWindowsCredentials","Altiris.Web.NS.dll","13","Errors"
"8/26/2021 12:38:10 PM","Item attributes (NoReplication, NoDelete, System) do not include deletion for: 'Domain\AppID1' (592fea50-e2c7-4e3f-97fa-319178ec1e79)

Error in the application.
   [Altiris.NS.Exceptions.ItemSecurityException @ ]

Exception logged from: 
   at Altiris.NS.ItemManagement.Item.Delete()
   at Altiris.NS.ResourceManagement.Resource.Delete()
   at Altiris.NS.Security.AccountManagement.CredentialManager.Unassign<T>(T)
   at Altiris.NS.Security.AccountManagement.CredentialManager.UnassignWindowsCredential(String)
   at Altiris.NS.UI.Admin.AccountManagement.Users.EditUser.MoveWindowsCredentials(String, String)
   at Altiris.NS.UI.Admin.AccountManagement.Users.EditUser.MoveCredential(String, String)
   at Altiris.NS.UI.Admin.AccountManagement.Users.EditUser.SaveCredential(System.Data.DataRow)
   at Altiris.NS.UI.Admin.AccountManagement.Users.EditUser.SaveCredentials()
   at Altiris.NS.UI.Admin.AccountManagement.Users.EditUser.OnClickApply(Object, EventArgs)
   at Altiris.WebControls.ButtonState.RaiseClick()
   at Altiris.WebControls.ButtonListControl.RaisePostBackEvent(String)
   at System.Web.UI.Page.ProcessRequestMain(Boolean, Boolean)
   at System.Web.UI.Page.ProcessRequest(Boolean, Boolean)
   at System.Web.UI.Page.ProcessRequest()
   at System.Web.UI.Page.ProcessRequest(System.Web.HttpContext)
   at Altiris.NS.UI.Controls.PageCachePage.ProcessRequest(System.Web.HttpContext)
   at Altiris.NS.UI.AltirisPage.ProcessRequest(System.Web.HttpContext)
   at System.Web.HttpApplication+CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStepImpl(System.Web.HttpApplication+IExecutionStep)
   at System.Web.HttpApplication.ExecuteStep(System.Web.HttpApplication+IExecutionStep, Boolean&)
   at System.Web.HttpApplication+PipelineStepManager.ResumeSteps(Exception)
   at System.Web.HttpApplication.BeginProcessRequestNotification(System.Web.HttpContext, AsyncCallback)
   at System.Web.HttpRuntime.ProcessRequestNotificationPrivate(System.Web.Hosting.IIS7WorkerRequest, System.Web.HttpContext)
   at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr, IntPtr, IntPtr, Int32)
   at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr, IntPtr, IntPtr, Int32)

User [Domain\AppID2], Auth [Domain\User], AppDomain [/LM/W3SVC/1/ROOT/Altiris/NS-2-132744729497591738]

HTTP [POST]: https://SMP/Altiris/NS/Admin/AccountManagement/Users/EditUser.aspx?ItemGuid=bf9ba753-12b5-405d-a1c3-3b5b9ee312bc
 ip: [10.10.214.21]; languages: [en-US,en;q=0.9]; content-length: [302346];
 timings: [[R] 00:00:00.7187459(W: 00:00:00)];
 response: [200 OK]; x-smp-nsversion: [8.5.5713.0];
","Item.Delete","Altiris.NS.dll","13","Errors"

 

Resolution

If you find yourself in this state, please contact Support for assistance.

Best practices indicate that we should create a new account rather than renaming it. Renaming the account causes the SID associated with this account to stay the same, and references in our database get mixed up between old and new names for that account.