vSphere: Remove orphaned user from an sso group by command line

Hi,

after migrating a vSphere vCenter instance from Windows to the VCSA appliance some (Windows local user which do no longer exists on linux) orphaned user are member of an SSO group.

These entries could not finally removed by the GUI. The GUI lets remove the user but after reloading the users are still member of group.

It’s also not possible to remove such an user by the SSO Powercli module because I cannot get an User object and a parameter of type string is not accepted.

PS D:\> git clone https://github.com/vmware/PowerCLI-Example-Scripts
PS D:\> Import-Module D:\PowerCLI-Example-Scripts\Modules\VMware.vSphere.SsoAdmin\VMware.vSphere.SsoAdmin.psd1
PS D:\> Connect-SsoAdminServer -Server myVCenter.myDomain.org -User "administrator@vsphere.local"
PS D:\> Remove-UserFromSsoGroup -User myUser -TargetGroup myGroup
Remove-UserFromSsoGroup : Cannot process argument transformation on parameter 'User'. Cannot convert the "myUser" value of type "System.String" to type "VMware.vSphere.SsoAdminClient.DataTypes.PersonUser".
At line:1 char:31
PS D:\> Get-SsoPersonUser -Domain myVCenter.myDomain.org -namer myUser
PS D:\> 

The only way I found is to use the dir-cli command line utility from the VCSA appliance. The dir-cli group modify command has no explicit parameter to remove a single user, but when you call

root@myVCenter[ ~ ]# /usr/lib/vmware-vmafd/bin/dir-cli group modify --name myGroup
Enter password for administrator@vsphere.local:
Account [] removed from group [myGroup]
Group member [] removed successfully

All Users will be removed!!!

So the way is: List all users of the group and notice which are still required. Then remnove all users and add the users again.

Michael

Leave a Reply