Thanks for pointing out the packaged query for stranded users. Unfortunately, it does not appear to work. It returns no results. Is there something I’m missing? Perhaps I need to specify an organization somehow (the documentation for the packaged query says “Stranded users in the organization” but it was not clear how to specify it?

<?xml version="1.0" encoding="UTF-8"?>

<QueryResultRecords xmlns="http://www.vmware.com/vcloud/v1.5" total="0" pageSize="25" page="1" name="strandedUser" type="application/vnd.vmware.vcloud.query.records+xml" href="https://my-vcloud.xxx.com/api/admin/strandedUsers/query?page=1&pageSize=25&format=records" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.vmware.com/vcloud/v1.5 http://alln01-vcloud.cisco.com/api/v1.5/schema/master.xsd">

    <Link rel="alternate" type="application/vnd.vmware.vcloud.query.references+xml" href="https://my-vcloud.xxx.com/api/admin/strandedUsers/query?page=1&pageSize=25&format=references"/>

    <Link rel="alternate" type="application/vnd.vmware.vcloud.query.idrecords+xml" href="https://my-vcloud.xxx.com/api/admin/strandedUsers/query?page=1&pageSize=25&format=idrecords"/>

</QueryResultRecords>

Are you logging in as an Administrator in the System Organization?

That is correct. I am logged in as an admin against the system org.

I don't have LDAP configured in my home lab to repro this, but could you try the same query but logging into the organization that has the stranded user? I have a feeling that it may not work due to the /admin path which signifies this is only available in the Admin API.

Yes, if I log on to the API as an Organization Admin to that organization, the stranded user's HREF is returned. Unfortunately, our use of the API is always done using a "System" user, with the assumption that we have permission to do anything.

But interestingly, as the Org Admin, if I try then to do a GET on the stranded user's HREF, I cannot access it, but if I log on as a system admin, it does return the record and I can delete it.

So it is possible do get rid of the stranded user but it takes 2 sessions (an org admin session to get the HREF and a sys admin to get/delete the user). It seems to me that the system admin should be able to access this information.

If there is any workaround to this, I would really like to get a solution.

Thanks!

As the Org Admin, are you able to delete the user using the vCloud API?

Actually, I am able to GET and DELETE using the Org Administrator logon. Unfortunately, I really need to be able to perform this operation as a System Administrator; otherwise, I will need to have credentials for hundreds of organizations. This is unwieldy for a multi-tenant, cloud provider solution.

So is there any way this can be done as a System Administrator?

It looks like this operation is currently only supported when you're an Org Admin as noted by the documentation - http://pubs.vmware.com/vcloud-api-1-5/wwhelp/wwhimpl/js/html/wwhelp.htm#context=vCloudAPI&file=GUID-...

If you have a support contract, I would recommend filing an SR for this feature request.

Disappointing, but good to know for sure. Will defintely file an SR. Thanks!