Enthusiast
Enthusiast

Is there a way to delete a VM from Active Directory while the VM is being deleted from vCenter?

So I was just asked this question last week and am searching for an answer.  I came across this thread Remove objects from AD when a VM is deleted from vCenter with vCO  which works great for me for my vRA environment, but what about machines that aren't built by vRA or are built by a set of scripts that clone VM's from templates, give the VM's specific names, join them to a certain domain, etc.  Is there a custom attribute that can be put on a template so when the VM is deleted it's removed from AD?  I'd prefer this to be automated.  I understand I could use PowerShell to use the Remove-ADComputer command, but that seems to need a text file or something and I want it to happen when the machine is being deleted from vCenter, not after the fact where someone could forget to run the script. 

So is it possible?  I'm testing this on vCenter 6.5, but the environment in question would be vCenter 6.7.

Thanks in advance.

0 Kudos
4 Replies
Immortal
Immortal

There's no way I know of to do this outside of integration with vRA or by using more custom automation through vRO. If it's not through vRA, however, I'd be very cautious about how you go about that. The automation needs to be quite complex in order to ensure the proper checks have been done, and even then it's a dicey situation. What if a host fails and it doesn't fail over in inventory? What if you remove it from inventory and later re-add it? What if you change its name? What if it gets migrated to another cluster? Datacenter? vCenter? There are myriad ways in which this can really blow up your AD and I'm not sure it's really worth rolling those dice. You'd be far better off importing those VMs into vRA management so you can control the removal there.

0 Kudos
Enthusiast
Enthusiast

So basically an environment can be built like this:

User requests an environment with whatever machines.

Environment is built.  Machines have 3 random characters at beginning of name.  So maybe D1HVM1, D1HVM2, etc.  Those are also in a folder in vCenter.

User uses environment until complete.  User can go to a website and expire/delete the environment or let it expire after a set time.

Once that environment is deleted those 3 random characters could be used again.  They could be used in the next environment or somewhere down the road.  I don't know the code for how it assigns, but it's possible.

I received a couple of suggestions.  One was this (but equivalent for AD):

-listavailable vm* | import-module

-InvalidCertificateAction Ignore -Confirm:$false |Out-Null


$viserver= "vcenter.domain"


$viuser= "username"


$vipass= "xxxx"


$UserPath= "$($env:USERPROFILE)\Desktop\vcenter.domain_Snapshots.csv"


Connect-VIServer -server $viServer -Protocol "https" -User $viUser -Password $viPass -ea:stop|Out-Null

Another suggestion was when an environment expires to have a script or something kick off that exports a list of the VM's to a file on a domain controller that then runs a script to delete those machine accounts out of active directory.  Maybe even during this time of exporting the list somehow the machine accounts in AD get moved to a specific OU that is for deletion of machine accounts only.  NETDOM could then run and delete the accounts from AD.

Personally I'd prefer that they use vRA for this, but that was shot down months ago in favor of open source stuff.

0 Kudos
Hot Shot
Hot Shot

emmclure,

Few option are available with VMware products and few with third party.I would recommend you to analyse varies platform with respect to cost and implementation complexity .Let say if you want the portal where users can set expiration days so that VMware vCloud Director is best platform do with VMware vRealize automation.You can do lot of black magic in it.If you are looking cost effective solution build a environment with VMware automation with third party workflow.

Give out a try

Integration with VMware vSphere Using the New Open Sourced Software Development Kits - VMware Open S...

0 Kudos
Enthusiast
Enthusiast

So it appears it'll be even easier than I thought as far as the work from my end.  The team in question will be doing most of the work.  When the environment expires they're going to run some sort of PowerShell script that does this on each machine:

Remove-Computer -Force; restart-computer

They can also just shut down the machine since the environment is going to be deleted.  Then we'd run a script from a domain controller that does this:

dsquery computer -disabled | dsrm -noprompt

This would run every 5 - 10 minutes since environments can expire at random times thru the day.  This'll query the domain for the disabled accounts created by the previous script and delete them.

I had one where the script would move the disabled machines to a specific OU and then I'd run a command from the domain controller (Remove-ADComputer) to delete anything in the specific OU, but they're going with the other option I mentioned.

0 Kudos