Hi all,
I'm fairly new here, but I appreciate any help that you can give me. Specifically, when trying to automate the removal of objects from AD, I cannot delete them as they are not "Leaf Nodes" (this occurs often if a computer has a shared printer attached, or if the computer has a shared folder attached - these are stored as child objects to the computer object in AD).
If I attempt to delete such an object with vCO, it yields the error: "Error when destroyingan element: [LDAP: error code 66 - 00002015: UpdErr: DSID-031A11DF, problem 6003 (CANT_ON_NON_LEAF), data 0]
My original idea was to treat the object as an AD:Unknown and find child items, then delete those, but it doesn't look like we can get child items from an AD:Unknown or AD:Computer.
Could the plugin be updated or a workaround provided to this problem? I appreciate your help and the dedication of this community.
While I cannot speak on behalf of the plug-in developers, my approach would be to use vCO on a Windows based system and install Microsoft's Directory Service Tools, then try to come up with an appropriate command line approach from the prompt. Once I've identified the proper syntax of dsmod.exe, dsquery,exe, dsdel.exe, etc... I would incorporate that command line into my vCO workflow using the "command" object.
Joerg has a nice post here to describe how to work with command line utilities from vCO: http://www.vcoportal.de/2011/08/small-but-useful-command-line-tools-for-vco-workflows/
Hi
Welcome to the communities.
It seems problem with AD, it would be great if you can ask on Microsoft ad forum.
Hi Burke,
While that's an interesting approach, running vCO on a Windows server is not an option for us for a number of reasons I'll not get into here. Consequently, Joerg's method to use command-line tools won't work for us (nor would, say, using a PowerCLI cmdlet or batch script on a remote server).
Basically, I'm looking for the plugin to work as advertised:
If Orchestrator exposes the functionality to destroy an object, one would think that it would, in general, destroy that object. If it's a concern about deleting sub-objects (eg. Shared printers or folders), an option should be exposed to the user to recursively delete such objects; a simple boolean 'recurse' should suffice, with a suitable warning about the potential side-effects of the command to be executed.
Maybe somebody from VMware can comment?
Hi Ethan,
This is not a problem with AD, but what appears to be a bug or edge case that's not accounted for with the vCO implementation of the AD:Computer.destroy method.
To reproduce, follow these steps (I used a Windows 2008 R2 DC running at an equivalent domain functional level):
Maybe these steps will allow VMware to improve their plugin for this case?
Thank you for the detailed description of the issue. I'm opening a bug and referencing this thread.
pwmiller wrote:
Maybe these steps will allow VMware to improve their plugin for this case?
Burke opening a bug is a first step in this direction. I would suggest to open a support request at VMware GSS so you can follow this up and also because bugs opened by customers are prioritized.
Christophe.
Thanks Christophe and Burke,
I really appreciate your prompt replies - you're going above and beyond. Do you have the PR number so that I can reference it in the case that I open with GSS, or should I just reference this thread?
Yes : 1003291
And thank you to participate in improving our products !
Christophe.
Thanks. The SR number is 13292446503
You should try with latest AD plug-in, there is a new workflow "Destroy a computer and delete its subtree" that is taking AD:ComputerAD as argument but is using a generic action that can take any AD object.
You can take the plug-in from here: Technical preview version of VMware vCenter Orchestrator Plug-In for Microsoft Active Directory and it is already part of vRO 7.0.1 release.
Hello !
I had the same issue and I confirm that the AD plugin 2.0.3 with the workflow "Destroy a computer and delete its subtree" works like a charm, tested on a vRO 6.0.3.
Thanks for the help !