Re: Non-Leaf Computers in AD Cannot Be Deleted by ...

pwmiller · ‎03-06-2013

Hi all,

I'm fairly new here, but I appreciate any help that you can give me. Specifically, when trying to automate the removal of objects from AD, I cannot delete them as they are not "Leaf Nodes" (this occurs often if a computer has a shared printer attached, or if the computer has a shared folder attached - these are stored as child objects to the computer object in AD).

If I attempt to delete such an object with vCO, it yields the error: "Error when destroyingan element: [LDAP: error code 66 - 00002015: UpdErr: DSID-031A11DF, problem 6003 (CANT_ON_NON_LEAF), data 0]

My original idea was to treat the object as an AD:Unknown and find child items, then delete those, but it doesn't look like we can get child items from an AD:Unknown or AD:Computer.

Could the plugin be updated or a workaround provided to this problem? I appreciate your help and the dedication of this community.

Burke- · ‎03-06-2013

While I cannot speak on behalf of the plug-in developers, my approach would be to use vCO on a Windows based system and install Microsoft's Directory Service Tools, then try to come up with an appropriate command line approach from the prompt. Once I've identified the proper syntax of dsmod.exe, dsquery,exe, dsdel.exe, etc... I would incorporate that command line into my vCO workflow using the "command" object.

Joerg has a nice post here to describe how to work with command line utilities from vCO: http://www.vcoportal.de/2011/08/small-but-useful-command-line-tools-for-vco-workflows/

If my answer resolved or helped you, please mark it as Correct or Helpful to award points. Thank you!

Visit http://www.vcoteam.info & http://blogs.vmware.com/orchestrator
for vRealize Orchestrator tips and tutorials - @TechnicalValues on Twitter

Ethan44 · ‎03-06-2013

Hi

Welcome to the communities.

It seems problem with AD, it would be great if you can ask on Microsoft ad forum.

"a journey of a thousand miles starts with a single step."

pwmiller · ‎03-06-2013

Hi Burke,

While that's an interesting approach, running vCO on a Windows server is not an option for us for a number of reasons I'll not get into here. Consequently, Joerg's method to use command-line tools won't work for us (nor would, say, using a PowerCLI cmdlet or batch script on a remote server).

Basically, I'm looking for the plugin to work as advertised:

If Orchestrator exposes the functionality to destroy an object, one would think that it would, in general, destroy that object. If it's a concern about deleting sub-objects (eg. Shared printers or folders), an option should be exposed to the user to recursively delete such objects; a simple boolean 'recurse' should suffice, with a suitable warning about the potential side-effects of the command to be executed.

Maybe somebody from VMware can comment?

pwmiller · ‎03-06-2013

Hi Ethan,

This is not a problem with AD, but what appears to be a bug or edge case that's not accounted for with the vCO implementation of the AD:Computer.destroy method.

To reproduce, follow these steps (I used a Windows 2008 R2 DC running at an equivalent domain functional level):

create a computer object in AD
select the computer object in Active Directory Users and Computers
select action, then new, then shared folder
use any mapping (the mapping doesn't have to exist on your network)
if you attempt to delete the object using vCO, you will get LDAP error 66, cannot delete non-leaf node. This is because a shared folder is the child of the computer object. I assume the same would occur for printer objects, or any other objects that are created below the computer object.

Maybe these steps will allow VMware to improve their plugin for this case?

Burke- · ‎03-06-2013

Thank you for the detailed description of the issue. I'm opening a bug and referencing this thread.

If my answer resolved or helped you, please mark it as Correct or Helpful to award points. Thank you!

Visit http://www.vcoteam.info & http://blogs.vmware.com/orchestrator
for vRealize Orchestrator tips and tutorials - @TechnicalValues on Twitter

cdecanini_ · ‎03-06-2013

pwmiller wrote:

Maybe these steps will allow VMware to improve their plugin for this case?

Burke opening a bug is a first step in this direction. I would suggest to open a support request at VMware GSS so you can follow this up and also because bugs opened by customers are prioritized.

Christophe.

If my answer resolved or helped you, please mark it as Correct or Helpful to award points. Thank you! Visit http://www.vcoteam.info & http://blogs.vmware.com/orchestrator for vCenter Orchestrator tips and tutorials - @vCOTeam on Twitter

pwmiller · ‎03-06-2013

Thanks Christophe and Burke,

I really appreciate your prompt replies - you're going above and beyond. Do you have the PR number so that I can reference it in the case that I open with GSS, or should I just reference this thread?

cdecanini_ · ‎03-06-2013

Yes : 1003291

And thank you to participate in improving our products !

Christophe.

If my answer resolved or helped you, please mark it as Correct or Helpful to award points. Thank you! Visit http://www.vcoteam.info & http://blogs.vmware.com/orchestrator for vCenter Orchestrator tips and tutorials - @vCOTeam on Twitter

pwmiller · ‎03-06-2013

Thanks. The SR number is 13292446503

aleksandarp · ‎03-23-2016

You should try with latest AD plug-in, there is a new workflow "Destroy a computer and delete its subtree" that is taking AD:ComputerAD as argument but is using a generic action that can take any AD object.

You can take the plug-in from here: Technical preview version of VMware vCenter Orchestrator Plug-In for Microsoft Active Directory and it is already part of vRO 7.0.1 release.

AntLeguy · ‎12-09-2016

Hello !

I had the same issue and I confirm that the AD plugin 2.0.3 with the workflow "Destroy a computer and delete its subtree" works like a charm, tested on a vRO 6.0.3.

Thanks for the help !

All

Non-Leaf Computers in AD Cannot Be Deleted by vCO