2 Replies Latest reply on Oct 10, 2017 7:51 AM by paulmike3

    Unable to remove AD user IDs from global desktop entitlements if they are deleted out of AD...

    paulmike3 Novice

      Hi all,

       

      Edit: Horizon 6.2.0 environment.

       

      We have a number of large global desktop entitlements that have users individually assigned by their Active Directory user IDs. Since global entitlements don't "sync" with AD, when a user ID is removed from AD, that ID still remains in a global entitlement it's a member of.

       

      When we run the lmvutil command below to try to remove an ID that doesn't exist in AD, it fails. It appears lmvutil does an AD check (which fails) to verify the ID exists in AD before attempting the removal. I could see this being a good thing for adding IDs, but it completely breaks removals.

       

      To make a short story long, we currently have some global desktop entitlements with several thousand users in each of them (obviously not ideal, as AD groups should have be used here, but that's where we are at the moment). Among the thousands of active users are hundreds of deleted users that have accumulated over the years.

       

      Since I doubt anyone else knows this, when global entitlements reach this size, the View Admin UI errors when trying to display the "user and groups" pane.  Thus, we can't remove them manually via the UI - the only way to remove them is via the lmvutil command.

       

      So we're stuck with many non-existent IDs in our huge global entitlements with no way to remove them.

       

      So my question is - does anyone know of any other methods of removing IDs from global entitlements, potentially without AD checks? I'm sure we could hack up the ADAM DB in the adsi editor, but that would be absolute last resort for us, given how volatile it is (at least when you have tens of thousands of objects replicating all the time).

       

      Command that fails (details redacted):

      lmvutil.cmd --authAs [service account] --authDomain [domain] --authPassword [service account password] --removeUserEntitlement --userName [domain\user ID] --entitlementName [global entitlement name]

        • 1. Re: Unable to remove AD user IDs from global desktop entitlements if they are deleted out of AD...
          mhampto Expert
          VMware EmployeesKnowledge Champion

          Removing desktop pool entitlements or deleting AD accounts does not remove users from a desktop. To clean up the environment, have you looked at PowerCLI to do it?

          • 2. Re: Unable to remove AD user IDs from global desktop entitlements if they are deleted out of AD...
            paulmike3 Novice

            Thanks for the reply, mhampto.  We are able to manage all other aspects of pool entitlements and VM assignments via PowerCLI, just not removing stale user IDs from the global entitlements in Cloud Pod Architecture.

             

            The Cloud Pod Architecture ADAM DB is not exposed to PowerCLI (at least in 6.2.0 that we're on), so there are no other management commands outside the lmvutil commands I mentioned in the OP, which fail.

             

            For anyone (especially VMware folks - hint, hint) that want to recreate the failure/bug in your lab:

             

            1) Initialize Cloud Pod Architecture in your View Pod

            2) Create a new desktop global entitlement

            3) Create a new AD user in AD

            4) Add the AD user to the desktop global entitlement

            5) Delete the AD user from AD

            6) Attempt to delete the non-existent user from the desktop global entitlement using the lmvutil command from my OP

             

            lmvutil.cmd --authAs [admin account] --authDomain [domain] --authPassword [admin account password] --removeUserEntitlement --userName [domain\user ID] --entitlementName [global entitlement name]