Community
Select to view content in your preferred language

Delete a Portal User with AD-Synced Group

45
0
5 hours ago
DavidWittmann
by
Regular Contributor
5 hours ago

Environment

  • ArcGIS Enterprise 11.4, notebook running in the ArcGIS Notebook Standard runtime.
  • The notebook authenticates with gis = GIS("home") (authenticating with the currently logged‑in built-in admin account).

Brief Overview

My script processes inactive accounts and, for each user that must be removed, it:

  1. Skips any groups whose provider == "enterprise" (AD‑synced groups).
  2. Removes the user from all remaining Portal‑managed groups (group.remove_users([user])).
  3. Re‑assigns the user’s owned content to the built-in admin account (users.reassign_to('admin_account')).
  4. Removes the user from the Portal using the bulk-delete method (users.delete_users([user_to_delete]))
# Remove from non‑Enterprise groups
for grp in user_to_delete.groups:
    if getattr(grp, "provider", None) != "enterprise":
        grp.remove_users([user_to_delete])

# Re‑assign owned items
user_to_delete.reassign_to('admin_account')

# Attempt delete
not_deleted = gis.users.delete_users([user_to_delete])   # returns [] on success
if not_deleted:
    print(f"Delete FAILED for: {', '.join(not_deleted)}")
else:
    print(f"User '{username}' successfully deleted.")


Problem

When I then call the bulk‑delete method, it returns the username of the user I'm attempting to delete which, according to the docs, means that the delete failed.

The Portal logs do not provide any additional insight into why the delete fails. The documentation for the delete_users method states that "before the administrator can remove the user, all of the user’s content and groups must be reassigned or deleted". The only groups that this user is still a member of are groups where the membership is based on a SAML group which they cannot be removed from with the remove_users method.

Workarounds
I can manually delete the user with the 'Delete member' option in the Members page despite their membership in these AD-synced groups but the point of this Notebook is to automate that process.

The users.delete method works but seemingly requires setting the credentials explicitly (which I would rather avoid):

gis = GIS("https://myportal/portal", "admin_account", "password")
user = gis.users.get(username)
user.delete()


Questions

  1. Why does gis.users.delete_users([user]) refuse to delete the account even after all non‑Enterprise groups have been cleared and content reassigned?
  2. Is there an additional hidden prerequisite (e.g., removal from the AD identity store) that delete_users checks but the users.delete() method does not?
  3. Can users.delete() be made to work when authenticated via GIS("home"), or must I fall back to the explicit‑credential constructor for deletions?
0 Kudos
0 Replies