Failure in adding domain user to vCenter group 'Unexpected error encountered while performing your action'.

The user was previously a part of the group.

ssoAdminServer.log
-------------------------

YYYY-MM-DDTHH:MM:SS ERROR ssoAdminServer[102:pool-2-thread-8] [OpId=m3cksqjj-103701-auto-280p-h5:70043803] [com.vmware.identity.idm.server.Ident
ityManager] Failed to add user [[email protected]] to group [Group] in tenant [vsphere.local]
YYYY-MM-DDTHH:MM:SS ERROR ssoAdminServer[102:pool-2-thread-8] [OpId=m3cksqjj-103701-auto-280p-h5:70043803] [com.vmware.identity.idm.server.Serve
rUtils] Exception 'com.vmware.identity.idm.MemberAlreadyExistException: group Group currently has user externalObjectId=S-1-5-21-1599525160-239106474-3126027306-3102 as its member'
com.vmware.identity.idm.MemberAlreadyExistException: group Group currently has user externalObjectId=S-1-5-21-1599525160-239106474-3126027306-3102 as its member
        at com.vmware.identity.idm.server.provider.vmwdirectory.VMwareDirectoryProvider.addUserToGroupByDn(VMwareDirectoryProvider.java:4107) ~[libvm
ware-identity-idm-server.jar:?]
        at com.vmware.identity.idm.server.provider.vmwdirectory.VMwareDirectoryProvider.addUserToGroup(VMwareDirectoryProvider.java:3719) ~[libvmware
-identity-idm-server.jar:?]
        at com.vmware.identity.idm.server.IdentityManager.addUserToGroup(IdentityManager.java:6038) ~[libvmware-identity-idm-server.jar:?]
        at com.vmware.identity.idm.server.IdentityManager.addUserToGroup(IdentityManager.java:11340) [libvmware-identity-idm-server.jar:?]
        at com.vmware.identity.idm.client.CasIdmClient.addUserToGroup(CasIdmClient.java:2672) [libvmware-identity-idm-client.jar:?]
        at com.vmware.identity.admin.server.ims.impl.PrincipalManagementImpl.addUsersToLocalGroup(PrincipalManagementImpl.java:1870) [libsso-adminser
ver.jar:?]
        at com.vmware.identity.admin.vlsi.PrincipalManagementServiceImpl$8.call(PrincipalManagementServiceImpl.java:289) [libsso-adminserver.jar:?]
        at com.vmware.identity.admin.vlsi.PrincipalManagementServiceImpl$8.call(PrincipalManagementServiceImpl.java:271) [libsso-adminserver.jar:?]
        at com.vmware.identity.admin.vlsi.util.VmodlEnhancer.invokeVmodlMethod(VmodlEnhancer.java:186) [libsso-adminserver.jar:?]
        at com.vmware.identity.admin.vlsi.PrincipalManagementServiceImpl.addUsersToLocalGroup(PrincipalManagementServiceImpl.java:271) [libsso-admins
erver.jar:?]
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_412]
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_412]
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_412]
        at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_412]
        at com.vmware.vim.vmomi.server.impl.InvocationTask.run(InvocationTask.java:86) [vlsi-server-8.0.3.0-14172000-alpha.jar:?]
        at com.vmware.vim.vmomi.server.common.impl.RunnableWrapper$1.run(RunnableWrapper.java:47) [vlsi-server-8.0.3.0-14172000-alpha.jar:?]
        at com.vmware.vim.vmomi.core.tracing.NoopTracer$NoopSpan.runWithinSpanContext(NoopTracer.java:120) [vlsi-core-8.0.3.0-14172000-alpha.jar:?]
        at com.vmware.vim.vmomi.server.common.impl.TracingRunnableWrapper.run(TracingRunnableWrapper.java:62) [vlsi-server-8.0.3.0-14172000-alpha.jar
:?]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_412]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_412]
        at java.lang.Thread.run(Thread.java:750) [?:1.8.0_412]
YYYY-MM-DDTHH:MM:SS INFO ssoAdminServer[102:pool-2-thread-8] [OpId=m3cksqjj-103701-auto-280p-h5:70043803] [com.vmware.identity.admin.server.ims.
impl.PrincipalManagementImpl] Error in addUsersToLocalGroup. User [{Name: user, Domain: domain.com}] is already a member of group [Group]. Idm client
exception.

VMware vCenter Server 8.0.x

If the Active Directory User is removed from Local Group on the vCenter after removing the Identity Provider, this leaves an orphaned user SID(s) for the Active Directory user.

The SID can be listed on vCenter CLI with the below command.

/usr/lib/vmware-vmafd/bin/dir-cli group list --name Group

The SID is not visible on vCenter UI.

Hence, the task addUsersToLocalGroup fails with error 'User [{Name: user, Domain: domain.com}] is already a member of group [Group]'.

Locate and remove the orphaned SID.

1. Locate the SID from /var/log/vmware/sso/ssoAdminServer.log or use the below command.

   • /usr/lib/vmware-vmafd/bin/dir-cli group list --name Group

2. Use JXplorer to delete the externalObjectID from the Group, else;
3. Use ldapmodify command to delete the externalObjectID.

   • ldapmodify -h localhost -D "cn=administrator,cn=users,dc=vsphere,dc=local" -W << EOF
     
     dn: cn=Group,cn=Builtin,dc=vsphere,dc=local
     
     changetype: modify
     
     delete: member
     
     member: externalObjectId=S-1-5-21-1599525160-239106474-3126027306-3102
     
     EOF

4. Verify the orphaned SID is removed successfully.

   • /usr/lib/vmware-vmafd/bin/dir-cli group list --name Group

5. Re-add the Active Directory User to the vCenter Local Group.