https://community.esri.com/t5/arcgis-api-for-python-questions/delete-a-portal-user-with-ad-synced-group/m-p/1665569#M11781 <P><U>Environment</U></P><UL><LI>ArcGIS Enterprise 11.4, notebook running in the<SPAN>&nbsp;</SPAN><STRONG>ArcGIS Notebook Standard</STRONG><SPAN>&nbsp;</SPAN>runtime.</LI><LI>The notebook authenticates with<SPAN>&nbsp;</SPAN><EM>gis = GIS("home")</EM><SPAN>&nbsp;</SPAN>(authenticating with the currently logged‑in<SPAN>&nbsp;</SPAN><STRONG>built-in admin</STRONG><SPAN>&nbsp;</SPAN>account).</LI></UL><P><U>Brief Overview<BR /></U></P><P class="">My script processes inactive accounts and, for each user that must be removed, it:</P><OL><LI>Skips any groups whose<SPAN>&nbsp;</SPAN><EM>provider == "enterprise"</EM><SPAN>&nbsp;</SPAN>(AD‑synced groups).</LI><LI>Removes the user from all remaining Portal‑managed groups (<EM>group.remove_users([user])</EM>).</LI><LI>Re‑assigns the user’s owned content to the built-in admin<SPAN>&nbsp;</SPAN>account (<EM>users.reassign_to('admin_account')</EM>).</LI><LI>Removes the user from the Portal using the bulk-delete method (<EM>users.delete_users([user_to_delete])</EM>)</LI></OL><LI-CODE lang="python"># Remove from non‑Enterprise groups for grp in user_to_delete.groups: if getattr(grp, "provider", None) != "enterprise": grp.remove_users([user_to_delete]) # Re‑assign owned items user_to_delete.reassign_to('admin_account') # Attempt delete not_deleted = gis.users.delete_users([user_to_delete]) # returns [] on success if not_deleted: print(f"Delete FAILED for: {', '.join(not_deleted)}") else: print(f"User '{username}' successfully deleted.")</LI-CODE><P><U><BR />Problem</U><BR /><BR /><SPAN>When I then call the bulk‑delete method, it returns the username of the user I'm attempting to delete which, <A href="https://developers.arcgis.com/python/latest/api-reference/arcgis.gis.toc.html#arcgis.gis.UserManager.delete_users" target="_self">according to the docs</A>, means that the delete failed.<BR /><BR />The Portal logs do not provide any additional insight into why the delete fails. The documentation for the <EM>delete_users</EM> method states that "before the administrator can remove the user, all of the user’s content and groups must be reassigned or deleted". The only groups that this user is still a member of are groups where the membership is based on a SAML group which they cannot be removed from with the <EM>remove_users</EM> method.<BR /><BR /><U>Workarounds</U><BR />I can manually delete the user with the '<EM>Delete member'</EM> option in the Members page despite their membership in these AD-synced groups but the point of this Notebook is to automate that process.</SPAN></P><P>The <EM>users.delete</EM> method works but seemingly requires setting the credentials explicitly (which I would rather avoid):</P><LI-CODE lang="python">gis = GIS("https://myportal/portal", "admin_account", "password") user = gis.users.get(username) user.delete()</LI-CODE><P><BR /><U>Questions</U></P><OL><LI>Why does<SPAN>&nbsp;</SPAN><EM>gis.users.delete_users([user])</EM><SPAN>&nbsp;</SPAN>refuse to delete the account even after all non‑Enterprise groups have been cleared and content reassigned?</LI><LI>Is there an additional hidden prerequisite (e.g., removal from the AD identity store) that<SPAN>&nbsp;</SPAN><EM>delete_users</EM><SPAN>&nbsp;</SPAN>checks but the<SPAN>&nbsp;</SPAN><EM>users.delete()</EM><SPAN>&nbsp;</SPAN>method does not?</LI><LI>Can<SPAN>&nbsp;<EM>users.delete()</EM>&nbsp;</SPAN>be made to work when authenticated via<SPAN>&nbsp;</SPAN><EM>GIS("home")</EM>, or must I fall back to the explicit‑credential constructor for deletions?</LI></OL> Thu, 13 Nov 2025 17:34:22 GMT DavidWittmann 2025-11-13T17:34:22Z https://community.esri.com/t5/arcgis-api-for-python-questions/delete-a-portal-user-with-ad-synced-group/m-p/1665569#M11781 <P><U>Environment</U></P><UL><LI>ArcGIS Enterprise 11.4, notebook running in the<SPAN>&nbsp;</SPAN><STRONG>ArcGIS Notebook Standard</STRONG><SPAN>&nbsp;</SPAN>runtime.</LI><LI>The notebook authenticates with<SPAN>&nbsp;</SPAN><EM>gis = GIS("home")</EM><SPAN>&nbsp;</SPAN>(authenticating with the currently logged‑in<SPAN>&nbsp;</SPAN><STRONG>built-in admin</STRONG><SPAN>&nbsp;</SPAN>account).</LI></UL><P><U>Brief Overview<BR /></U></P><P class="">My script processes inactive accounts and, for each user that must be removed, it:</P><OL><LI>Skips any groups whose<SPAN>&nbsp;</SPAN><EM>provider == "enterprise"</EM><SPAN>&nbsp;</SPAN>(AD‑synced groups).</LI><LI>Removes the user from all remaining Portal‑managed groups (<EM>group.remove_users([user])</EM>).</LI><LI>Re‑assigns the user’s owned content to the built-in admin<SPAN>&nbsp;</SPAN>account (<EM>users.reassign_to('admin_account')</EM>).</LI><LI>Removes the user from the Portal using the bulk-delete method (<EM>users.delete_users([user_to_delete])</EM>)</LI></OL><LI-CODE lang="python"># Remove from non‑Enterprise groups for grp in user_to_delete.groups: if getattr(grp, "provider", None) != "enterprise": grp.remove_users([user_to_delete]) # Re‑assign owned items user_to_delete.reassign_to('admin_account') # Attempt delete not_deleted = gis.users.delete_users([user_to_delete]) # returns [] on success if not_deleted: print(f"Delete FAILED for: {', '.join(not_deleted)}") else: print(f"User '{username}' successfully deleted.")</LI-CODE><P><U><BR />Problem</U><BR /><BR /><SPAN>When I then call the bulk‑delete method, it returns the username of the user I'm attempting to delete which, <A href="https://developers.arcgis.com/python/latest/api-reference/arcgis.gis.toc.html#arcgis.gis.UserManager.delete_users" target="_self">according to the docs</A>, means that the delete failed.<BR /><BR />The Portal logs do not provide any additional insight into why the delete fails. The documentation for the <EM>delete_users</EM> method states that "before the administrator can remove the user, all of the user’s content and groups must be reassigned or deleted". The only groups that this user is still a member of are groups where the membership is based on a SAML group which they cannot be removed from with the <EM>remove_users</EM> method.<BR /><BR /><U>Workarounds</U><BR />I can manually delete the user with the '<EM>Delete member'</EM> option in the Members page despite their membership in these AD-synced groups but the point of this Notebook is to automate that process.</SPAN></P><P>The <EM>users.delete</EM> method works but seemingly requires setting the credentials explicitly (which I would rather avoid):</P><LI-CODE lang="python">gis = GIS("https://myportal/portal", "admin_account", "password") user = gis.users.get(username) user.delete()</LI-CODE><P><BR /><U>Questions</U></P><OL><LI>Why does<SPAN>&nbsp;</SPAN><EM>gis.users.delete_users([user])</EM><SPAN>&nbsp;</SPAN>refuse to delete the account even after all non‑Enterprise groups have been cleared and content reassigned?</LI><LI>Is there an additional hidden prerequisite (e.g., removal from the AD identity store) that<SPAN>&nbsp;</SPAN><EM>delete_users</EM><SPAN>&nbsp;</SPAN>checks but the<SPAN>&nbsp;</SPAN><EM>users.delete()</EM><SPAN>&nbsp;</SPAN>method does not?</LI><LI>Can<SPAN>&nbsp;<EM>users.delete()</EM>&nbsp;</SPAN>be made to work when authenticated via<SPAN>&nbsp;</SPAN><EM>GIS("home")</EM>, or must I fall back to the explicit‑credential constructor for deletions?</LI></OL> Thu, 13 Nov 2025 17:34:22 GMT https://community.esri.com/t5/arcgis-api-for-python-questions/delete-a-portal-user-with-ad-synced-group/m-p/1665569#M11781 DavidWittmann 2025-11-13T17:34:22Z