Unable to Remove Users or Groups from vCenter Server - Account/Group Reappears After Deletion
search cancel

Unable to Remove Users or Groups from vCenter Server - Account/Group Reappears After Deletion

book

Article ID: 393110

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • When attempting to remove a user or group from the vCenter Server Users and Groups section, the account reappears within 5-10 minutes after deletion. Multiple deletion attempts in the vSphere Client are unsuccessful, and the account continues to persist in the environment. The vCenter Server logs may show errors such as:

/var/log/vmware/sso/ssoAdminServer.log

ERROR ssoAdminServer[1063:pool-2-thread-831] [OpId=<opID>:########] [com.vmware.identity.idm.server.IdentityManager] Failed to find person user [[email protected]] in tenant [sso.domain.com]

  • User accounts originating from Active Directory
  • The problematic account may have been removed from Active Directory but persists in vCenter

Environment

  • vCenter Server 8.0.x
  • vCenter Server 7.0.x

Cause

This issue occurs when there are LDAP database inconsistencies within the vCenter Server's Platform Services Controller (PSC) directory service (vmdir). Specifically:

  1. The account exists in multiple places within the LDAP database structure
  2. The standard removal process through the vSphere Client cannot properly remove all references
  3. In Enhanced Linked Mode environments, replication between vCenter Servers may cause the account to be restored from another node

The root issue is that the account exists in the ForeignSecurityPrincipals container within the LDAP directory, and has multiple entries that must be removed in a specific order.

Resolution

To permanently remove the persistent user or group, you need to modify the LDAP database directly using ldapmodify commands:

Option 1: CLI Method

  1. Create a powered-off snapshot of your affected vCenter Server and any other vCenter Servers in Enhanced Linked Mode (ELM) with it to provide a safe rollback point. You do not require a powered off Snapshot if the vCenter is not in linked mode. 

  2. Connect to the vCenter Server via SSH and export the current LDAP directory structure:

    /opt/likewise/bin/ldapsearch -b "dc=vsphere,dc=local" -s sub -D "cn=Administrator,cn=Users,dc=vsphere,dc=local" -W > /tmp/$(hostname)_"`date +"%d-%m-%Y"`".ldif

    When prompted, enter the Administrator password.

  3. Identify the required LDAP entries by running the below commands ( Note: Replace $LDIF_FILE with the file that was created in /tmp folder and replace $ACCOUNT with the user you would like to remove )

    # Find the Administrators group DN
grep "dn: cn=Administrators" $LDIF_FILE

# Find the account's membership entry
grep "member: externalObjectId=$ACCOUNT" $LDIF_FILE

# Find the SID-based entry in ForeignSecurityPrincipals
grep -i -B 10 "$ACCOUNT" $LDIF_FILE | grep "dn: externalObjectId=S-"

# Find the account-based entry
grep -A 1 "dn: externalObjectId=$ACCOUNT" $LDIF_FILE

  4. Create a file named "remove_group.ldif" with the following content (replacing the example values with your actual values):

    # Remove the member from Administrators group
dn: cn=Administrators,cn=Builtin,dc=vsphere,dc=local
changetype: modify
delete: member
member: [email protected]

# Delete the SID-based entry
dn: externalObjectId=S-#-#-##-##########-##########-#########-123456,cn=ForeignSecurityPrincipals,dc=vsphere,dc=local
changetype: delete

# Delete the account-based entry
dn: [email protected],cn=ForeignSecurityPrincipals,dc=vsphere,dc=local
changetype: delete

  5. Upload the remove_group.ldif file to one of your vCenter Servers or paste its contents into a VI window in Insert mode and save it

  6. Apply the changes using the ldapmodify command:

    /opt/likewise/bin/ldapmodify -f remove_group.ldif -D "cn=Administrator,cn=Users,dc=vsphere,dc=local" -W

    When prompted, enter the Administrator password.

Verify in the vCenter UI that the account no longer appears. You may need to log out and back in to see the changes.

Option 2: JXplorer 

1. Collect & output ldif file from vCenter

/usr/bin/ldapsearch -LLL -h localhost -p 389 -b "dc=vsphere,dc=local" -s sub -D "cn=administrator,cn=users,dc=vsphere,dc=local" -o ldif-wrap=no -W > /tmp/ldif.ldif

2. Download JXplorer LDAP Browser https://jxplorer.org/

3. Install JXplorer on to a server or jumpserver that has connectivity to vCenter on port 389

4. Select the connection icon and information for vCenter SSO

Host: full fqdn of the vCenter  
Protocol: LDAPv3  
Port: 389  
Level: User + Password  
User DN: cn=Administrator,cn=Users,dc=vsphere,dc=local  
Password: SSO_ADMIN_PASSWORD

4. Using the ldif file search for the stale domain, user or group still present in SSO to determine the dn where the attribute is still present

Example:


dn: cn=AttributeMapping-3,cn=LegacyAliasMappings,cn=vsphere.local,cn=Tenants,cn=IdentityManager,cn=Services,DC=vsphere,DC=local
nTSecurityDescriptor:: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
vmwSTSMapValue: DOMAIN
vmwSTSMapKey: domain.com
cn: AttributeMapping-3
objectClass: top
objectClass: vmwSTSAttributeMap

5. Browse this dn in JXplorer 

vsphere.local->Services->IdentityManager->Tenants->vsphere.local->LegacyAliasMappings->Attribute-3

6. Right click the attribute & delete

7. Reboot vCenter


Note: If you have removed any trust relationships for a domain ensure the trust relationship has been removed for all Domain Controllers vCenter connects to.  The Domain Controllers may need to be rebooted

You only need to perform these steps on one vCenter Server in an Enhanced Linked Mode configuration. The changes will replicate to other vCenters automatically within 2-3 minutes so long as vmdir replication is healthy.

Powered by Wolken Software