commvault.com commvault.com
Question

delete deactivated AD users in Commvault and delete in AD deleted User in Commvault

  • 15 September 2022
  • 10 replies
  • 382 views
C
Rank
Badge +5
  • Christo Commvault Certified Expert
  • Commvault Certified Expert
  • 5 replies

Hello,

 

is there a way to automatically disable disabled AD users in Commvault as well? Best would be to delete it automatically after a time, as well as delete users as well. Is it possible to automate this?

In an environment with a lot of dynamic users some users are not active in AD anymore but active in Commvault. If such a user is known and has higher rights, it could be reactivated oder recreated by an attacker in AD and used covertly. We would like to prevent this possibility.

 

As discussed here (User Group properties - AD groups user not removed after removing | Community (commvault.com)), we like to delete the user from the User list overwiew, not from the ad group association which is refreshed an every login attemp as i understand.
 

Additionally, an idea of mine would be an authorization workflow that needs to be accepted to allow any new user or user with a defined last login time.


Thanks for your experiences and ideas.
Christo

10 replies

Mike Struening RETIRED
Rank
Userlevel 7
Badge +23

@Christo , sounds like a pretty valid use case to me.

Basically, you want to make sure if a user in your org’s AD domain is disabled, then we should also inherit that fact in the associated CV username.

Is that accurate?  I would open a support case for this and ask for a CMR.  It’s a good idea, though it would need to be vetted by dev for inclusion.

Regarding a Workflow, that should be easy enough.  Use the UserInput activity to require an email before the user creation can happen:

https://documentation.commvault.com/2022e/essential/131495_predefined_activities_for_workflows.html#user-interaction

For the user creation, use this option:

https://documentation.commvault.com/2022e/expert/45276_qoperation_execute.html

You should be able to create an activity to run this qcommand here:

https://documentation.commvault.com/2022e/expert/49663_built_in_activities_for_workflows.html#qcommands

You can also create custom WF activities:

https://documentation.commvault.com/2022e/expert/49733_creating_script_custom_activity.html

I haven’t done this myself, so adding @chrisknows who is quite the master at scripting.

 

https://www.linkedin.com/in/michael-struening
Mike Struening RETIRED
Rank
Userlevel 7
Badge +23

There’s a thread that might be worth following:

 

Different end use case, but the email auth requirement is the same.

https://www.linkedin.com/in/michael-struening
Jos Meijer
Rank
Userlevel 7
Badge +17

Until a CMR has been put in production I would take a look at powershell combined with REST.

Create a script that retrieves users from a group based on disabled attribute:

For example:

$groupname = "Domain Admins"
$users = Get-ADGroupMember -Identity $groupname | ? {$_.objectclass -eq "user"}
foreach ($activeusers in $users) { Get-ADUser -Identity $activeusers | ? {$_.enabled -eq $false} | select Name, SamAccountName, UserPrincipalName, Enabled }

 

Then retrieve users based on for example REST command http://WebConsoleHostName/webconsole/api/UsersAndGroups
 

Match users from AD with users from CV and foreach user passthrough the userID to this REST command: http://WebConsoleHostName/webconsole/api/User/{{UserId}}/Disable
 

Schedule this daily and it should work.
Sorry that I don’t have a script to provide you, but this is route I would take for now.

 

B
Badge +3

Hi,

Came accross to this thread while searching for a solution for one of our customers.

If i understand this thread correctly, we have similar problem but consequences for us is a bit different: We have laptop users and obviously a license for this purpose. Problem is, when a user leaves company their user is deleted/disabled in AD. These users also become disabled and hidden in Commcell. But they still consume user license. 

There is a procedure to release unused licenses, but it is not applicable in real life: You have to run db script to make hidden users visible, then remove laptop ownership of these users and delete users...Then license gets released. But in a dynamic environment running these procedure is not possible.

Wondering if anybody experienced same problem and how do you overcome this problem? Any workarounds or something?

 

regards.  

Onno van den Berg
Rank
Userlevel 7
Badge +19

As far as I know Commvault pulls much more info from AD when it creates the pseudo AD account within Commvault itself like the GUID. Also this pseudo account carries no password, it depends on the authentication provider to be there and it performs cross-checks to relate the account between the known objects in the database. Now to complete the picture to make sure the chance is mitigated for sure than you should ditch the account from Commvault and the easiest way to accomplish this is to write some automation via Powershell, Python or a Commvault workflow. Now @Jos Meijer already shared one piece of the puzzle and the Powershell SDK could be of help to nail down the Commvault portion. 

 

christopherlecky
Rank
Userlevel 5
Badge +16

Until a CMR has been put in production I would take a look at powershell combined with REST.

Create a script that retrieves users from a group based on disabled attribute:

For example:

$groupname = "Domain Admins"
$users = Get-ADGroupMember -Identity $groupname | ? {$_.objectclass -eq "user"}
foreach ($activeusers in $users) { Get-ADUser -Identity $activeusers | ? {$_.enabled -eq $false} | select Name, SamAccountName, UserPrincipalName, Enabled }

 

Then retrieve users based on for example REST command http://WebConsoleHostName/webconsole/api/UsersAndGroups
 

Match users from AD with users from CV and foreach user passthrough the userID to this REST command: http://WebConsoleHostName/webconsole/api/User/{{UserId}}/Disable
 

Schedule this daily and it should work.
Sorry that I don’t have a script to provide you, but this is route I would take for now.

 

 

 

I blame auto-correct for all misspellings, grammatical errors, and half-baked opinions.
B
Badge +3

Maybe, but a difficult way. Not sure if customer will like it. 

in my case, i dont understand why unused licenses are not reduced from the total number of licenses.

 

chrisknows
Rank
Userlevel 3
Badge +10

Maybe, but a difficult way. Not sure if customer will like it. 

in my case, i dont understand why unused licenses are not reduced from the total number of licenses.

 

The answer to that is that the world isnt perfect but it can be improved by our participation. In this specific case its either an oversight or a flaw in commvaults process and while you can submit it as a CMR it will take some time for it to be addressed. This is an interim solution.

presumbly there is already an offboarding process that involves scripted changes this is just another step to be added

The poster formerly known as @christopherlecky
V
Rank
Badge +1

Is this feature added in new release?

Onno van den Berg
Rank
Userlevel 7
Badge +19

Is this feature added in new release?

No, it's not part if this release. I'm not sure if a CMR was raised for it, because if that is the case than it would make sense to share the CMR number here, so other customer who require this enhancement can subscribe to it as well which could result in the CMR getting huger priority on the backlog. 

Reply


Terms & ConditionsCookie settings